Search

CN-121984686-A - Device binding and authentication method and device based on multi-stage certificate chain

CN121984686ACN 121984686 ACN121984686 ACN 121984686ACN-121984686-A

Abstract

The application provides a device binding and authentication method and device based on a multi-stage certificate chain, the scheme utilizes the derivative of digital certificates, the binding is realized through the derivative relation of the certificate chain, the security authorization of a host account and a plurality of sharing accounts is realized, different authorities can be provided between the host account and the sharing account, between the sharing account and the sharing account, and different authorities can be realized by a target device terminal through checking and signing different opposite-terminal user certificates, thereby supporting fine-granularity authority control and management, and meanwhile, the binding relation authentication under an offline scene can be realized because the user device and cloud device are not required to be online at the same time in the authentication process.

Inventors

  • YU KAI
  • ZHU ZHUANGHUI
  • YANG SHENG
  • TANG YAJIE

Assignees

  • 上海七十迈数字科技有限公司

Dates

Publication Date
20260505
Application Date
20260316

Claims (12)

  1. 1. A device binding method based on a multi-stage certificate chain, wherein the method is applied to a cloud device, the method comprising: When a binding request from user equipment is acquired, deriving a temporary certificate related to a target user according to a root certificate; The temporary certificate is sent to target equipment to be bound through user equipment; Acquiring a binding certificate and a device certificate to be signed from the user equipment, wherein the binding certificate is generated by signing the temporary certificate by using a device private key after the temporary certificate is signed by the target equipment by using a root public key, and the device certificate is obtained by deriving the root certificate in advance; signing the binding certificate to be signed by using the root private key, and deriving to obtain a master certificate and a corresponding master private key by using the binding certificate after the signing passes; And sending the master certificate and the corresponding master private key to user equipment, and sending the verification result of the binding certificate and/or the binding certificate after verification is passed to the target equipment through the user equipment to complete the binding of the target equipment and the target user.
  2. 2. The method according to claim 1, wherein the method further comprises: when a sharing request from user equipment is obtained, deriving and obtaining a sharing certificate and a corresponding sharing private key according to a master certificate of the user equipment; And sending the sharing certificate and the sharing private key to other user equipment needing to be shared, wherein the authority range and the certificate validity period of the sharing certificate are smaller than or equal to the master certificate.
  3. 3. The method according to claim 2, wherein upon obtaining a sharing request from a user device, obtaining a sharing certificate and its corresponding sharing private key according to a master certificate derivative of the user device, comprises: when a sharing request from user equipment is obtained, a sharing certificate and a corresponding sharing private key thereof are obtained according to the derivative of the master certificate of the user equipment, and the authority range and/or the certificate validity period of the sharing certificate are set according to the authority information in the sharing request.
  4. 4. A device binding method based on a multi-stage certificate chain, the method being applied to a user device, the method comprising: After being connected with target equipment to be bound, the cloud equipment initiates a binding request to the cloud equipment so that the cloud equipment obtains a temporary certificate related to a target user according to root certificate derivation; Acquiring the temporary certificate from the cloud device, and sending the temporary certificate to target equipment to be bound, so that the target equipment signs the temporary certificate by using a device private key after the temporary certificate is signed by using a root public key to generate a binding certificate to be signed, wherein the device certificate is obtained by deriving the root certificate in advance; acquiring a binding certificate and a device certificate to be signed from the target device, and sending the binding certificate and the device certificate to be signed to a cloud device, so that the cloud device uses a root private key to sign the binding certificate to be signed, and after the sign verification is passed, deriving a master certificate and a corresponding master private key by using the binding certificate; acquiring a master certificate, a corresponding master private key and a verification result of the binding certificate and/or the binding certificate after verification passes from cloud equipment; And sending the verification result of the binding certificate and/or the binding certificate after the verification is passed to the target equipment to finish the binding of the target equipment and the target user.
  5. 5. The method according to claim 4, wherein the method further comprises: And sending a sharing request to the cloud device according to a sharing instruction of a user, so that the cloud device obtains a sharing certificate and a corresponding sharing private key according to the derivative of the master certificate of the user device, and sends the sharing certificate and the sharing private key to other user devices needing to be shared, wherein the authority range and the valid period of the sharing certificate are smaller than or equal to the master certificate.
  6. 6. A device binding method based on a multi-level certificate chain, the method being applied to a target device, the method comprising: connecting with user equipment for binding; after the user equipment initiates a binding request to the cloud equipment, acquiring a temporary certificate, which is derived by the cloud equipment according to a root certificate, about a target user from the user equipment; after the temporary certificate passes the verification by using the root public key, signing the temporary certificate by using the equipment private key to generate a binding certificate to be verified, wherein the equipment certificate is obtained by deriving the root certificate in advance; The method comprises the steps that a binding certificate to be checked and a device certificate are sent to cloud equipment through user equipment, so that the cloud equipment uses a root private key to check the binding certificate to be checked, after checking is passed, the binding certificate is used for deriving to obtain a master certificate and a corresponding master private key, and the master certificate, the corresponding master private key and a checking result of the binding certificate and/or the binding certificate after checking is passed are sent to the user equipment; and acquiring a verification result of the binding certificate and/or the binding certificate after verification passes from the user equipment to finish the binding of the target equipment and the target user.
  7. 7. A device authentication method based on a multi-stage certificate chain, wherein binding is completed between a target device and a target user by adopting the device binding method according to any one of claims 1 to 6, the device authentication method is applied to a cloud device, and the device authentication method comprises: obtaining an opposite-end user certificate of a target user, generating an opposite-end random value, and sending the opposite-end user certificate and the opposite-end random value to target equipment, wherein the opposite-end user certificate comprises a master certificate or a sharing certificate, the sharing certificate is derived from the master certificate of the user equipment, the target equipment uses a binding certificate to check the received opposite-end user certificate, and the equipment random value is generated after the checking passes; Acquiring a device random value from the target device; and generating a common key by using a private key of the opposite-end certificate and a public key of the equipment through a key negotiation algorithm, and generating a session key for encrypting the communication link by using the common key, the opposite-end random value and the equipment random value, wherein the private key of the opposite-end certificate comprises a private key corresponding to a master certificate or a sharing certificate.
  8. 8. A device authentication method based on a multi-stage certificate chain, wherein binding is completed between a target device and a target user by using the device binding method according to any one of claims 1 to 6, the device authentication method being applied to a user device, the device authentication method comprising: obtaining an opposite-end user certificate of a target user, generating an opposite-end random value, and sending the opposite-end user certificate and the opposite-end random value to target equipment, wherein the opposite-end user certificate comprises a master certificate or a sharing certificate, the sharing certificate is derived from the master certificate of the user equipment, the target equipment uses a binding certificate to check the received opposite-end user certificate, and the equipment random value is generated after the checking passes; Acquiring a device random value from the target device; Generating a common key by using a private key of a certificate of the opposite end and a public key of equipment through a preset key negotiation algorithm, and generating a session key for encrypting and decrypting a communication link by using the common key, the random value of the opposite end and the random value of the equipment, wherein the private key of the certificate of the opposite end comprises a private key corresponding to a master certificate or a sharing certificate.
  9. 9. A device authentication method based on a multi-stage certificate chain, wherein binding is completed between a target device and a target user by using the device binding method according to any one of claims 1 to 6, the device authentication method being applied to the target device, the device authentication comprising: Obtaining a peer-to-peer user certificate and a peer-to-peer random value from user equipment and/or cloud equipment, wherein the peer-to-peer user certificate comprises a master certificate or a sharing certificate, the sharing certificate is derived from the master certificate of the user equipment, and the peer-to-peer random value is generated by equipment for providing the peer-to-peer user certificate; Signing the received opposite-end user certificate by using the binding certificate, and generating a device random value after the signing passes; transmitting a device random value to user equipment and/or cloud equipment; And generating a common key by using a public key of the opposite-end certificate and a private key of the equipment through a preset key negotiation algorithm, and generating a session key for encrypting and decrypting the communication link by using the common key, the opposite-end random value and the equipment random value, wherein the public key of the opposite-end certificate comprises a public key corresponding to a master certificate or a sharing certificate.
  10. 10. The method according to any of claims 7 to 9, wherein the key agreement algorithm comprises an ECDH algorithm.
  11. 11. A computing device comprising a memory for storing computer program instructions and a processor for executing the computer program instructions, wherein the computer program instructions, when executed by the processor, trigger the device to perform the method of any one of claims 1 to 10.
  12. 12. A computer readable medium having stored thereon computer program instructions executable by a processor to implement the method of any of claims 1 to 10.

Description

Device binding and authentication method and device based on multi-stage certificate chain Technical Field The present application relates to the field of information technologies, and in particular, to a device binding and authentication method and device based on a multi-level certificate chain. Background Along with the rapid development of information technology, the use of various terminal devices such as intelligent bracelets, intelligent doorbell, automobile data recorder, intelligent camera is also becoming more and more popular. When the terminal devices are used, user binding is generally needed through application programs running on the user devices, and authentication is needed based on the binding relation when the terminal devices are used, so that safety problems such as privacy leakage and the like caused by the fact that unbound users use functions of the terminal devices or access data stored on the terminal devices at will are avoided. Taking the smart band and the mobile phone APP as an example, binding and authentication flows in the prior art are shown in fig. 1 and fig. 2 respectively. Wherein, the binding procedure includes: step S101, mobile phone APP scans two-dimensional code and other modes to obtain OOB (Out Of Band) data from the intelligent bracelet, and sends the OOB data and user identification (user_id) to the intelligent bracelet, so that OOB confirmation is completed. In step S102, the smart band generates an AES (Advanced Encryption Standard ) key (aeskey), encrypts a combination of the device identifier (did), the user identifier, and the AES key using an RSA (RSA algorism) public key, and transmits the device identifier and the encrypted content to the mobile APP. Step S103, after obtaining the device identifier and the encrypted first content, the mobile phone APP forwards the first content to the cloud device. Step S104, the cloud device decrypts the received first content by using the RSA private key to obtain a device identifier, a user identifier and an AES key, encrypts a combination of the user identifier and the AES key by using the RSA private key to obtain encrypted second content, and sends the second content to the mobile phone APP. Step S105, after the mobile phone APP obtains the encrypted second content, the encrypted second content is forwarded to the intelligent bracelet. Step S106, the intelligent bracelet decrypts the received second content by using the RSA public key, acquires and stores the user identification and the AES secret key, and then informs the mobile phone APP and the cloud device of the result, so that the binding is completed. The authentication flow comprises the following steps: in step S201, the mobile phone APP encrypts the user identifier that has been successfully bound with the AES key, and then sends the encrypted third content and the user identifier of the plaintext to the smart band. In step S202, the cloud device encrypts the user identifier that has been successfully bound with the AES key, and then sends the encrypted fourth content and the user identifier of the plaintext to the smart band. Step S203, after the intelligent bracelet receives the third content and the fourth content from the mobile phone APP and the cloud terminal equipment respectively, the intelligent bracelet uses an AES key to decrypt the third content and the fourth content respectively, then checks whether two user identifiers obtained by decryption are consistent, if so, authentication is passed, otherwise, authentication fails; step S204, the intelligent bracelet authentication result is fed back to the mobile phone APP and the cloud device. Although binding and authentication of terminal equipment can be realized in the mode, the updating/canceling of the key is complicated, binding and authentication management of multiple users and fine-grained authority control are difficult to support, three-terminal equipment is required to be online at the same time in the authentication process, and binding relation authentication in an offline scene cannot be realized. Disclosure of Invention An object of the present application is to provide a device binding, authentication method and device based on a multi-stage certificate chain. In order to achieve the above object, the present application provides a device binding method based on a multi-level certificate chain, which is characterized in that the method is applied to a cloud device, and the method includes: When a binding request from user equipment is acquired, deriving a temporary certificate related to a target user according to a root certificate; The temporary certificate is sent to target equipment to be bound through user equipment; Acquiring a binding certificate and a device certificate to be signed from the user equipment, wherein the binding certificate is generated by signing the temporary certificate by using a device private key after the temporary certificate is signed by the target