Disclosure of Invention
In view of the above, the present invention aims to provide a device trusted access method, device and storage medium, which can ensure that only a device to be accessed has legal and true identity and can access to a system. The specific scheme is as follows:
in a first aspect, the application discloses a device trusted access method, which is applied to a device to be accessed, and comprises the following steps:
Generating a first random number based on a first preset random number generation algorithm, and encrypting the first random number by utilizing a management end public key obtained in advance based on an elliptic curve public key cryptography algorithm to generate a key negotiation request;
The key negotiation request is sent to a management end to obtain a key negotiation result returned by the management end, wherein the key negotiation result comprises an encrypted second random number, and the encrypted second random number is obtained by encrypting the second random number by using a device public key of the device to be accessed;
resolving the key negotiation result to obtain the second random number by using the device public key, and generating a first access password based on the first random number and the second random number;
Generating a target connection request based on the first access password and the equipment ID of the equipment to be accessed, and sending the target connection request to the management end, so as to carry out identity verification on the equipment to be accessed through the management end based on the equipment ID in the target connection request, the first access password and the second access password stored by the management end, if the identity verification is passed, allowing the equipment to be accessed to the management end, and generating a corresponding connection result representing successful connection when the access is successful;
and acquiring the connection result returned by the management end.
Optionally, before the generating the first random number based on the first preset random number generating algorithm, the method further includes:
generating a registration policy acquisition request based on basic information of the equipment to be accessed, wherein the basic information comprises an IP address, a MAC address, an equipment identifier and user information of the equipment to be accessed;
the registration policy acquisition request is sent to the management terminal to acquire a corresponding target registration policy, wherein the target registration policy comprises information to be reported and an information reporting mode corresponding to the equipment to be accessed;
Generating a device registration request based on the target registration policy and the registration information, the device information and the device public key of the device to be accessed;
The equipment registration request is sent to the management end, so that the management end performs registration information verification on registration information of the equipment to be accessed based on the equipment registration request, if the equipment to be accessed passes the registration information verification, a certificate issuing mechanism is applied for equipment certificates of the equipment to be accessed, and the equipment certificates returned by the certificate issuing mechanism are stored locally at the management end;
sending a registration result acquisition request to the management end to acquire a registration result returned by the management end;
the registration result comprises the equipment ID, the equipment certificate and a management end certificate, wherein the equipment certificate comprises the equipment information and the equipment public key, and the management end certificate comprises the management end public key.
Optionally, the process of generating the key negotiation result by the management end includes:
The management end decrypts the key negotiation request to obtain the first random number and generates the second random number;
The management end generates a second access password based on the first random number and the second random number by using a preset access password generation algorithm, and stores the second access password locally;
And the management end determines the equipment public key based on the locally stored equipment certificate, and encrypts the second random number by utilizing the equipment public key based on elliptic curve public key cryptographic algorithm to generate a key negotiation result corresponding to the key negotiation request.
Optionally, the generating the first access password based on the first random number and the second random number includes:
And generating a first access password based on the first random number and the second random number by using the preset access password generation algorithm.
Optionally, the preset access password generation algorithm is an MD5HEX algorithm.
Optionally, the device public key is a device public key generated by the device to be accessed by using elliptic curve public key cryptographic algorithm.
Optionally, the device trusted access method further includes:
And if the equipment to be accessed does not pass the identity verification, prohibiting the equipment to be accessed from accessing the management end through the management end, and returning a connection result representing connection failure to the equipment to be accessed.
In a second aspect, the present application discloses a device trusted access apparatus, applied to a device to be accessed, comprising:
The negotiation request generation module is used for generating a first random number based on a first preset random number generation algorithm, and encrypting the first random number based on an elliptic curve public key cryptography algorithm by utilizing a pre-acquired management end public key so as to generate a key negotiation request;
The negotiation result acquisition module is used for sending the key negotiation request to a management end to acquire a key negotiation result returned by the management end, wherein the key negotiation result comprises an encrypted second random number, and the encrypted second random number is a result obtained by encrypting the second random number by using a device public key of the device to be accessed;
The first password generation module is used for analyzing the key negotiation result to acquire the second random number by using the device public key and generating a first access password based on the first random number and the second random number;
The device access module is used for generating a target connection request based on the first access password and the device ID of the device to be accessed, sending the target connection request to the management end, checking the identity of the device to be accessed through the management end based on the device ID in the target connection request, the first access password and the second access password stored by the management end, and allowing the device to be accessed to access the management end if the identity check is passed, and generating a corresponding connection result representing successful connection when the access is successful;
And the connection result acquisition module is used for acquiring the connection result returned by the management end.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the device trusted access method.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements the aforementioned device trusted access method.
The method comprises the steps of generating a first random number by equipment to be accessed based on a first preset random number generation algorithm when the equipment to be accessed passes through a management end access system, encrypting the first random number by utilizing a management end public key obtained in advance based on an elliptic curve public key cryptographic algorithm to generate a key negotiation request, sending the key negotiation request to a management end to obtain a key negotiation result returned by the management end, wherein the key negotiation result comprises an encrypted second random number, the encrypted second random number is obtained by encrypting the second random number by utilizing an equipment public key of the equipment to be accessed, analyzing the key negotiation result to obtain the second random number by utilizing the equipment public key, generating a first access password by utilizing the first random number and the second random number, generating a target connection request by utilizing the first access password and an equipment ID of the equipment to be accessed, sending the target connection request to the management end, and obtaining a corresponding authentication result by the management end through the management end and successfully verifying the successful access of the equipment to be accessed when the equipment to be accessed is successfully connected and the management end is successfully connected. The method comprises the steps that when equipment is accessed, an elliptic curve public key cryptographic algorithm is utilized, equipment to be accessed encrypts a first random number R1 needing to be exchanged by using a public key of a management end, the management end can decrypt the R1 in the key negotiation request by using a key of the management end after receiving the key negotiation request, then generates a second random number R2, encrypts the R2 by using the equipment key, generates a key negotiation result by using the encrypted R2 and returns the key negotiation result to the equipment to be accessed, the equipment to be accessed can learn the R2 by using the equipment key after acquiring the key negotiation result, then the equipment to be accessed can generate a corresponding first access password by using the R1 and the R2, information such as the first access password, the equipment ID and the like is transmitted to the management end as a target connection request, and the management end can check the equipment ID and the first access password by using a second access password which is locally stored by the management end and is based on the R1 and the R2 (namely identity check of the equipment to be accessed). If the verification is passed, the device to be accessed is a real and legal device, the device to be accessed is allowed to be accessed to the management end, and then the management end returns a corresponding connection result to the device to be accessed. In this process, since the illegal device does not know the device public key of the device to be accessed and also does not know the management end public key of the management end, even if the encryption algorithm of the variables R1 and R2 exchanged between the device to be accessed and the management end is known to be elliptic curve public key cryptographic algorithm, the access password is generated based on R1 and R2, and the illegal device knows the generation algorithm of the access password, the two random numbers R1 and R2 and the corresponding access password cannot be cracked, and cannot be disguised to be in butt joint between the device to be accessed and the management end, thereby ensuring that only the device to be accessed with legal and real identity can access the system.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the process of designing various information systems, communication data between equipment and a management end needs to be encrypted and transmitted, and meanwhile, the correctness of identities of the equipment and the management end needs to be ensured in the process of establishing connection between the equipment and the management end so as to prevent unauthorized equipment from accessing the system or accessing sensitive data. The MQTT is provided with a related safety protection design at a protocol layer, the protocol sets userName and a password field in a connection message, and the password is in a Byte array format and supports the input of passwords in any format. The traditional MQTT protocol transmission mode is to carry out encryption transmission by setting userName and a password, wherein userName is a device ID, and the password is a secret key. The common secret key is a fixed shared secret key or is encrypted by introducing AES (advanced encryption standard) symmetry, and the common secret key is a fixed shared secret key or is encrypted by introducing AES symmetry, so that the illegal equipment can completely steal the equipment ID and the fixed secret key to perform counterfeit attack, the illegal equipment knows the equipment ID and simultaneously knows a secret key algorithm, and after the equipment exchanges two variables with a management end, the session secret key can be generated by means of simulation to perform counterfeit attack. In order to solve the technical problems, the application discloses a device trusted access method which can ensure that only the device to be accessed can be accessed into a system, wherein the identity of the device is legal and real.
Referring to fig. 1, the embodiment of the invention discloses a device trusted access method, which is applied to a device to be accessed and comprises the following steps:
step S11, a first random number is generated based on a first preset random number generation algorithm, and the first random number is encrypted by a management end public key obtained in advance based on an elliptic curve public key cryptography algorithm to generate a key negotiation request.
In the method, before the device to be accessed is trusted, device registration is needed, as shown in fig. 2, the specific process of device registration can include generating a registration policy acquisition request based on basic information of the device to be accessed, the basic information including an IP (Internet Protocol , internet protocol) Address, a MAC Address (MEDIA ACCESS Control Address), a device identifier and user information of the device to be accessed, sending the registration policy acquisition request to a management end to acquire a corresponding target registration policy, the target registration policy including information to be reported and an information reporting manner corresponding to the device to be accessed, generating a device registration request based on the target registration policy and the registration information of the device to be accessed, the device information and a public key of the device to be accessed, sending the device registration request to the management end so that the management end performs registration information verification based on the registration information of the device to be accessed, applying a device certificate of the device to be accessed to a certificate issuing authority if the device to be accessed passes the registration information verification, and storing the device certificate returned by the certificate issuing authority in the management end local, sending the registration result acquisition request to the management end so as to acquire the management end, wherein the registration result includes a certificate and a public key of the device to be accessed, and the public key of the device to be accessed includes the device certificate and the public key of the device to be registered. The device public key may be a device public key generated by the device to be accessed by using an elliptic curve public key cryptography algorithm (i.e. a national secret SM2 algorithm). The device registration can enable the management end to locally reserve the device public key of the device to be accessed, and meanwhile the device to be accessed can also reserve the management end public key, so that the management end can encrypt information needing to be decrypted by the device public key, and the device to be accessed can encrypt information needing to be decrypted by the management end public key, namely, encrypt variables needing to be exchanged by the key of the other party.
In this embodiment, as shown in fig. 3, trusted access may be performed after the device to be accessed is registered. The device to be accessed generates a first random number R1 based on a first preset random number generation algorithm, and encrypts the first random number based on an elliptic curve public key cryptography algorithm by utilizing a pre-acquired management end public key to generate a key negotiation request. Wherein the management end public key is contained in the management end certificate, and the management end certificate is contained in the registration result returned by the management end in the registration process.
Step S12, the key negotiation request is sent to a management end to obtain a key negotiation result returned by the management end, the key negotiation result comprises an encrypted second random number, and the encrypted second random number is obtained by encrypting the second random number by using the device public key of the device to be accessed.
In this embodiment, after obtaining a key negotiation request sent by a device to be accessed, the management end returns a corresponding key negotiation result according to the key negotiation request. In a specific embodiment, as shown in fig. 3, the process of generating the key negotiation result by the management end may include the management end decrypting the key negotiation request to obtain the first random number R1 and generate the second random number R2, the management end generating the second access password sKey based on the first random number and the second random number by using a preset access password generation algorithm and storing the second access password locally, the management end determining the device public key based on the locally stored device certificate and encrypting the second random number based on an elliptic curve public key cryptographic algorithm by using the device public key to generate the key negotiation result corresponding to the key negotiation request. The key negotiation result returned by the management end contains an encrypted second random number, wherein the encrypted second random number is obtained by encrypting the second random number by using the device public key of the device to be accessed, and the algorithm for encrypting the second random number by the management end can also be an elliptic curve public key cryptographic algorithm.
And S13, analyzing the key negotiation result to acquire the second random number by using the device public key, and generating a first access password based on the first random number and the second random number.
In this embodiment, after obtaining the key negotiation result, the device to be accessed analyzes the key negotiation result, decrypts the key negotiation result by using the local device public key to obtain the second random number R2, and then generates the first access password sKey1 based on the first random number and the second random number by using a preset access password generation algorithm. It can be understood that the preset access password generation algorithm for generating the first access password by the device to be accessed and the preset access password generation algorithm for generating the second access password by the management end are the same, and may be MD5HEX (a widely used hash function) algorithm.
Step S14, a target connection request is generated based on the first access password and the equipment ID of the equipment to be accessed, the target connection request is sent to the management end, so that the management end can carry out identity verification on the equipment to be accessed based on the equipment ID in the target connection request, the first access password and the second access password stored by the management end, if the identity verification is passed, the equipment to be accessed is allowed to access the management end, and when the access is successful, a corresponding connection result representing the successful connection is generated.
In this embodiment, after sKey is obtained, the device to be accessed generates a target connection request based on sKey and its own device ID, and sends the target connection request to the management end. The management end can determine sKey which is stored locally based on the device ID after receiving the target connection request, then uses sKey2 and sKey1 to carry out identity verification on the device to be accessed, if sKey and sKey1 are the same, the device to be accessed is legal and credible, and if the identity verification is passed, the device to be accessed is allowed to access the management end, and when the access is successful, a corresponding connection result representing the success of the connection is generated. If the equipment to be accessed does not pass the identity verification, the management end can prohibit the equipment to be accessed from accessing the management end, and a connection result representing connection failure is returned to the equipment to be accessed. In this process, the device ID takes the role userName, while sKey1 is a password. Identity verification of the device to be accessed can be achieved by verifying whether userName and the password correspond to each other.
And S15, acquiring the connection result returned by the management end.
In this embodiment, the device to be accessed acquires the connection result returned by the management end, which indicates that the connection operation is completed, and if the connection result is a response result indicating that the connection is successful, it indicates that the device to be accessed has been successfully accessed to the management end and the corresponding system.
The method comprises the steps that when equipment is accessed, an elliptic curve public key cryptographic algorithm is utilized, equipment to be accessed encrypts a first random number R1 needing to be exchanged by using a public key of a management end, the management end can decrypt the R1 in the key negotiation request by using a key of the management end after receiving the key negotiation request, then generates a second random number R2, encrypts the R2 by using the equipment key, generates a key negotiation result by using the encrypted R2 and returns the key negotiation result to the equipment to be accessed, the equipment to be accessed can learn the R2 by using the equipment key after acquiring the key negotiation result, then the equipment to be accessed can generate a corresponding first access password by using the R1 and the R2, information such as the first access password, the equipment ID and the like is transmitted to the management end as a target connection request, and the management end can check the equipment ID and the first access password by using a second access password which is locally stored by the management end and is based on the R1 and the R2 (namely identity check of the equipment to be accessed). If the verification is passed, the device to be accessed is a real and legal device, the device to be accessed is allowed to be accessed to the management end, and then the management end returns a corresponding connection result to the device to be accessed. In this process, since the illegal device does not know the device public key of the device to be accessed and also does not know the management end public key of the management end, even if the encryption algorithm of the variables R1 and R2 exchanged between the device to be accessed and the management end is known to be elliptic curve public key cryptographic algorithm, the access password is generated based on R1 and R2, and the illegal device knows the generation algorithm of the access password, the two random numbers R1 and R2 and the corresponding access password cannot be cracked, and cannot be disguised to be in butt joint between the device to be accessed and the management end, thereby ensuring that only the device to be accessed with legal and real identity can access the system.
Referring to fig. 4, the application discloses a device trusted access device, which is applied to a device to be accessed, and comprises:
The negotiation request generation module 11 is configured to generate a first random number based on a first preset random number generation algorithm, and encrypt the first random number based on an elliptic curve public key cryptography algorithm by using a management end public key acquired in advance to generate a key negotiation request;
The negotiation result obtaining module 12 is configured to send the key negotiation request to a management end to obtain a key negotiation result returned by the management end, where the key negotiation result includes an encrypted second random number, and the encrypted second random number is a result obtained by encrypting the second random number with a device public key of the device to be accessed;
a first password generation module 13, configured to parse the key negotiation result to obtain the second random number with the device public key, and generate a first access password based on the first random number and the second random number;
The device access module 14 is configured to generate a target connection request based on the first access password and a device ID of the device to be accessed, and send the target connection request to the management end, so that the management end performs identity verification on the device to be accessed based on the device ID in the target connection request, the first access password and a second access password stored by the management end, and if the identity verification is passed, the device to be accessed is allowed to access the management end, and when the access is successful, a corresponding connection result representing that the connection is successful is generated;
and the connection result obtaining module 15 is used for obtaining the connection result returned by the management end.
The method comprises the steps that when equipment is accessed, an elliptic curve public key cryptographic algorithm is utilized, equipment to be accessed encrypts a first random number R1 needing to be exchanged by using a public key of a management end, the management end can decrypt the R1 in the key negotiation request by using a key of the management end after receiving the key negotiation request, then generates a second random number R2, encrypts the R2 by using the equipment key, generates a key negotiation result by using the encrypted R2 and returns the key negotiation result to the equipment to be accessed, the equipment to be accessed can learn the R2 by using the equipment key after acquiring the key negotiation result, then the equipment to be accessed can generate a corresponding first access password by using the R1 and the R2, information such as the first access password, the equipment ID and the like is transmitted to the management end as a target connection request, and the management end can check the equipment ID and the first access password by using a second access password which is locally stored by the management end and is based on the R1 and the R2 (namely identity check of the equipment to be accessed). If the verification is passed, the device to be accessed is a real and legal device, the device to be accessed is allowed to be accessed to the management end, and then the management end returns a corresponding connection result to the device to be accessed. In this process, since the illegal device does not know the device public key of the device to be accessed and also does not know the management end public key of the management end, even if the encryption algorithm of the variables R1 and R2 exchanged between the device to be accessed and the management end is known to be elliptic curve public key cryptographic algorithm, the access password is generated based on R1 and R2, and the illegal device knows the generation algorithm of the access password, the two random numbers R1 and R2 and the corresponding access password cannot be cracked, and cannot be disguised to be in butt joint between the device to be accessed and the management end, thereby ensuring that only the device to be accessed with legal and real identity can access the system.
In a specific embodiment, the apparatus may further include:
the policy acquisition request generation module is used for generating a registration policy acquisition request based on basic information of the equipment to be accessed, wherein the basic information comprises an IP address, a MAC address, an equipment identifier and user information of the equipment to be accessed;
The policy acquisition request sending module is used for sending the registration policy acquisition request to the management end to acquire a corresponding target registration policy, wherein the target registration policy comprises information to be reported and an information reporting mode corresponding to the equipment to be accessed;
A registration request generation module, configured to generate a device registration request based on the target registration policy and registration information, device information, and a device public key of the device to be accessed;
A registration request sending module, configured to send the device registration request to the management end, so that the management end performs registration information verification on registration information of the device to be accessed based on the device registration request, and if the device to be accessed passes the registration information verification, applies for a device certificate of the device to be accessed to a certificate issuing mechanism, and stores the device certificate returned by the certificate issuing mechanism in a local area of the management end;
the registration result acquisition module is used for sending a registration result acquisition request to the management end so as to acquire a registration result returned by the management end;
the registration result comprises the equipment ID, the equipment certificate and a management end certificate, wherein the equipment certificate comprises the equipment information and the equipment public key, and the management end certificate comprises the management end public key.
In a specific embodiment, the management end may specifically include:
a request decryption module, configured to decrypt the key negotiation request to obtain the first random number;
The random number generation module is used for generating the second random number;
The second password generation module is used for generating a second access password based on the first random number and the second random number by using a preset access password generation algorithm, and storing the second access password locally;
and the negotiation result generation module is used for determining the equipment public key based on the locally stored equipment certificate, and encrypting the second random number by utilizing the equipment public key based on an elliptic curve public key cryptographic algorithm so as to generate a key negotiation result corresponding to the key negotiation request.
In a specific embodiment, the first password generating module 13 may further include:
and the first password generation unit is used for generating a first access password based on the first random number and the second random number by utilizing the preset access password generation algorithm.
In a specific embodiment, the apparatus may further include:
And the identity verification failure operation module is used for prohibiting the equipment to be accessed from accessing the management end through the management end if the equipment to be accessed fails the identity verification, and returning a connection result representing connection failure to the equipment to be accessed.
Further, the embodiment of the present application further discloses an electronic device, and fig. 5 is a block diagram of an electronic device 20 according to an exemplary embodiment, where the content of the figure is not to be considered as any limitation on the scope of use of the present application.
Fig. 5 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may include, in particular, at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input-output interface 25, and a communication bus 26. Wherein the memory 22 is configured to store a computer program that is loaded and executed by the processor 21 to implement relevant steps in the device trusted access method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide working voltages for each hardware device on the electronic device 20, the communication interface 24 is capable of creating a data transmission channel with an external device for the electronic device 20, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein, and the input/output interface 25 is configured to obtain external input data or output data to the external device, and the specific interface type of the input/output interface may be selected according to the specific application needs and is not specifically limited herein.
The memory 22 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, and the resources stored thereon may include an operating system 221, a computer program 222, and the like, and the storage may be temporary storage or permanent storage.
The operating system 221 is used for managing and controlling various hardware devices on the electronic device 20 and the computer program 222, which may be Windows Server, netware, unix, linux, etc. The computer program 222 may further comprise a computer program capable of performing other specific tasks in addition to the computer program capable of performing the device trusted access method performed by the electronic device 20 as disclosed in any of the embodiments above.
Furthermore, the application also discloses a computer readable storage medium for storing a computer program, wherein the computer program realizes the device trusted access method when being executed by a processor. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
While the foregoing has been provided to illustrate the principles and embodiments of the present application, specific examples have been provided herein to assist in understanding the principles and embodiments of the present application, and are intended to be in no way limiting, for those of ordinary skill in the art will, in light of the above teachings, appreciate that the principles and embodiments of the present application may be varied in any way.