Search

CN-122027164-A - Bidirectional identity authentication method and system for client and lower computer

CN122027164ACN 122027164 ACN122027164 ACN 122027164ACN-122027164-A

Abstract

A bidirectional identity authentication method and a system for a client and a lower computer relate to the technical field of user identity authentication. The bidirectional identity authentication method comprises the steps that a client generates a first challenge code, a temporary key is derived based on a current timestamp and a public identifier of a lower computer, and an authentication data block containing user authentication data and the first challenge code is encrypted by using the temporary key. The lower computer receives the authentication data block, verifies the validity of the time stamp, decrypts the data, and then generates a response value based on the hardware unique identifier and the local key. And generating a second challenge code at the same time, and returning the response value and the second challenge code to the client. The client verifies whether the response value matches the expected response. And if the first challenge code is matched with the second challenge code, encrypting the second challenge code by using the temporary key to generate a confirmation signal, and transmitting the confirmation signal to a lower computer. And the lower computer decrypts the confirmation signal and verifies the consistency of the decrypted data and the second challenge code. And if the verification is passed, opening the login session and destroying the temporary key.

Inventors

  • Request for anonymity
  • Request for anonymity

Assignees

  • 厦门汉印股份有限公司

Dates

Publication Date
20260512
Application Date
20260119

Claims (10)

  1. 1. A bidirectional identity authentication method for a client and a lower computer is characterized by comprising the following steps: the client generates a first challenge code, derives a temporary key based on the current timestamp and the public identifier of the lower computer, and encrypts an authentication data block containing user authentication data and the first challenge code by using the temporary key; The lower computer receives the authentication data block, verifies the validity of the time stamp and the decryption data, and then generates a response value based on the hardware unique identifier and the local key; The client verifies whether the response value matches the expected response, if so, encrypts the second challenge code by using the temporary key to generate a confirmation signal and sends the confirmation signal to the lower computer; The lower computer decrypts the confirmation signal and verifies the consistency of the decrypted data and the second challenge code; and if the verification is passed, opening the login session and destroying the temporary key.
  2. 2. The method for two-way identity authentication between a client and a lower computer according to claim 1, wherein the step of deriving the temporary key is implemented by combining a PBKDF2 algorithm with a SHA-3 hash function, and wherein input parameters of the PBKDF2 algorithm include a public identifier and a timestamp.
  3. 3. The method of two-way authentication of a client and a lower computer according to claim 1, wherein encrypting the authentication data block comprises encrypting authentication data including user authentication data and a first challenge code using an AES-256-GCM algorithm with the temporary key and attaching a time stamp.
  4. 4. The method for two-way authentication between a client and a lower computer according to claim 1, wherein the step of generating the first challenge code comprises calling a random number generation function to generate a 32-bit random number as the first challenge code; The user authentication data includes an account number and a password.
  5. 5. The method for two-way identity authentication between a client and a lower computer according to claim 1, wherein the step of the lower computer receiving the authentication data block and verifying the validity of the time stamp and decrypting the data comprises: The lower computer checks the validity of the time stamp after receiving the authentication data block, wherein the authentication is refused when the first duration is exceeded; If the time stamp is valid, decrypting through a preset basic key, acquiring a first challenge code and user authentication data, and verifying the user authentication data.
  6. 6. The method for two-way identity authentication between the client and the lower computer according to claim 1, wherein the step of generating the response value based on the hardware unique identifier and the local key comprises splicing the hardware unique identifier with the first challenge code, and calculating the response value by using the local key and using an HMAC-SHA256 algorithm.
  7. 7. The method for two-way identity authentication between a client and a lower computer according to claim 1, wherein the step of verifying the response value by the client is as follows; acquiring a preregistration identification of a lower computer from a local storage; After the preregistration identification is spliced with the first challenge code, a temporary key is used, and expected response is obtained through calculation of an HMAC-SHA256 algorithm; determining whether the response value is equal to the expected response.
  8. 8. A two-way identity authentication system comprising a client and a lower computer capable of being communicatively connected, characterized by being adapted to perform a two-way identity authentication method of the client and the lower computer according to any one of claims 1 to 7; The client comprises an encryption processing module, a first authentication module and a second authentication module, wherein the encryption processing module is used for generating a first challenge code, deriving a temporary key, encrypting authentication data and sending the first challenge code, deriving the temporary key and the encrypted authentication data to the lower computer, verifying a response value returned by the lower computer and generating a confirmation signal; The lower computer comprises an authentication processing module which is used for checking the time stamp, decrypting the authentication data, generating a response value based on the unique hardware identifier and returning a second challenge code, decrypting the confirmation signal and verifying the consistency of the second challenge code.
  9. 9. A client comprising a processor and a memory, the memory storing a computer program which, when executed by the processor, causes the client to perform the steps performed by the client in the two-way authentication method of any one of claims 1 to 7.
  10. 10. A lower computer comprising a processor and a memory, the memory storing a computer program which, when executed by the processor, causes the lower computer to perform the steps performed by the lower computer in the two-way authentication method of any one of claims 1 to 7.

Description

Bidirectional identity authentication method and system for client and lower computer Technical Field The invention relates to the technical field of user identity authentication, in particular to a bidirectional identity authentication method and system of a client and a lower computer. Background In many scenes such as industrial control and intelligent equipment interaction, communication interaction between a webpage end and a lower computer is frequent, wherein a login authentication process involves transmission of sensitive data such as an account number and a password, and identity legitimacy of the webpage end and the lower computer needs to be ensured, so that safety risks caused by identity utilization are avoided. The process not only requires that sensitive data is not revealed and tampered, but also adapts to the characteristics of limited storage resources and weak computing power commonly existing in the embedded lower computer, thereby forming the practical requirement on a safe, lightweight and reliable identity authentication scheme. The traditional data transmission between the webpage and the lower computer usually adopts an HTTP plaintext transmission mode, and login data such as account passwords and the like are directly sent to the lower computer without encryption. And a unidirectional SSL/TLS authentication scheme is adopted in part of the scenes, and the security of the data transmission process is ensured by verifying the server certificate. In addition, the method is characterized in that a fixed encryption key is preset in the subordinate machine, so that the security is improved by conducting encryption processing on transmission data. These existing methods are attempted to be applied in different scenarios in an attempt to solve the security problem of the interaction of the web page end with the lower computer. The existing solution has obvious safety defect and insufficient applicability. When HTTP plaintext transmission is adopted, sensitive data is easy to be intercepted by man-in-the-middle attack due to lack of a transmission layer encryption mechanism and security verification capability, so that information leakage is caused. The unidirectional SSL/TLS authentication only verifies the server certificate, does not cover the authentication of the lower body identity, the fake lower body can easily fool the user credentials, and the certificate system is difficult to deploy and manage in the embedded device. In the fixed key hard coding scheme, a static key lacks a dynamic updating mechanism, and once the key is revealed, the security of the whole system is invalid, so that long-term continuous security attacks cannot be dealt with. The problems make the existing method difficult to simultaneously meet the core requirements of data transmission safety, bidirectional identity confirmation and long-term effective protection of keys, and cannot provide comprehensive and reliable safety guarantee for interaction between a webpage end and a lower computer. Disclosure of Invention The invention provides a bidirectional identity authentication method and a bidirectional identity authentication system for a client and a lower computer, which are used for improving at least one of the technical problems. The invention provides a two-way identity authentication method for a client and a lower computer, which comprises the following steps. The client generates a first challenge code, derives a temporary key based on the current timestamp and the public identifier of the lower computer, and encrypts an authentication data block containing user authentication data and the first challenge code by using the temporary key. Preferably, the user authentication data includes an account number and a password. The lower computer receives the authentication data block, verifies the validity of the time stamp, decrypts the data, and then generates a response value based on the hardware unique identifier and the local key. And generating a second challenge code at the same time, and returning the response value and the second challenge code to the client. The client verifies whether the response value matches the expected response. And if the first challenge code is matched with the second challenge code, encrypting the second challenge code by using the temporary key to generate a confirmation signal, and transmitting the confirmation signal to a lower computer. And the lower computer decrypts the confirmation signal and verifies the consistency of the decrypted data and the second challenge code. And if the verification is passed, opening the login session and destroying the temporary key. As a further scheme of the invention, the step of deriving the temporary key is realized by combining a PBKDF2 algorithm with an SHA-3 hash function. Wherein the input parameters of the PBKDF2 algorithm include public identification and a timestamp. As a further aspect of the invention the step of encrypt