Search

CN-122027178-A - Bidirectional identity authentication method and device

CN122027178ACN 122027178 ACN122027178 ACN 122027178ACN-122027178-A

Abstract

The application provides a bidirectional identity authentication method and a device thereof, and relates to the technical fields of information security and navigation. The method comprises the steps of sending a terminal access request to a key management platform, wherein the terminal access request at least carries a terminal identification, a time stamp and a first signature result to be verified, which correspond to a user terminal, receiving an access success response sent by the key management platform, analyzing the access success response to obtain a random number and a second signature result to be verified, which are carried by the access success response, generating a second target signature result based on a platform public key, the time stamp and the random number of the key management platform, and determining that the user terminal and the key management platform pass through bidirectional identity authentication in response to the fact that the second signature result to be verified and the second target signature result are equal. The application enhances the safety and reduces the risks of counterfeiting and malicious attack through bidirectional identity authentication.

Inventors

  • LIU WEI
  • HE QUAN
  • RAO JIANBING

Assignees

  • 中国星网网络创新研究院有限公司

Dates

Publication Date
20260512
Application Date
20241112

Claims (19)

  1. 1. A two-way identity authentication method performed by a user terminal, comprising: a terminal access request is sent to a key management platform, wherein the terminal access request at least carries a terminal identifier, a time stamp and a first signature result to be verified, which correspond to a user terminal; receiving an access success response sent by the key management platform, and analyzing the access success response to obtain a random number carried by the access success response and a second signature result to be verified; Generating a second target signature result based on a platform public key of the key management platform, the timestamp and the random number; and determining that the user terminal and the key management platform pass the bidirectional identity authentication according to the second signature result to be verified and the second target signature result.
  2. 2. The method according to claim 1, further comprising obtaining a root key after parsing the access success response, and further comprising, after determining that the user terminal and the key management platform pass bidirectional identity authentication: generating a user key corresponding to the user terminal based on the root key and the random number, wherein the user key comprises an encryption key and an integrity key; Receiving a navigation message, wherein the navigation message at least comprises a target message authentication code and a key to be verified; Encrypting the target message authentication code based on the user key, and generating an authentication key request according to the encrypted target message authentication code; Sending the authentication key request to the key management platform; and receiving an authentication key response message sent by the key management platform, and judging whether the navigation message passes authentication or not based on the authentication key response message and the key to be verified.
  3. 3. The method of claim 2, wherein said determining whether the navigation message is authenticated based on the authentication key response message in combination with the key to be verified comprises: Decrypting the authentication key response message based on the user key to obtain an authentication key; and determining that the navigation message passes authentication in response to the authentication key being equal to the key to be verified.
  4. 4. A method according to claim 3, wherein the navigation messages in different preset time periods carry different target message authentication codes and different keys to be verified.
  5. 5. The method of claim 4, wherein a bi-directional communication link between the user terminal and the key management platform, and wherein link times of navigation links corresponding to the user terminal remain synchronized continuously.
  6. 6. The method according to claim 1, wherein the method further comprises: and receiving an access failure response sent by the key management platform, wherein the access failure response indicates that the terminal access request fails to pass the validity check at the key management platform side.
  7. 7. The method according to claim 1, wherein the method further comprises: Responding to the second signature result to be verified and the second target signature result to be unequal, determining that the user terminal and the key management platform do not pass the bidirectional identity authentication, and generating a bidirectional authentication failure response; And sending the bidirectional authentication failure response to the key management platform.
  8. 8. The method according to any one of claims 1-7, wherein the process of obtaining the first signature result to be verified comprises: and calculating the time stamp according to the terminal private key of the user terminal to obtain the first signature result to be verified.
  9. 9. The method of claim 8, wherein the communication between the user terminal and the key management platform is transparently forwarded via a low orbit satellite.
  10. 10. A two-way identity authentication method performed by a key management platform, comprising: receiving a terminal access request sent by a user terminal; Analyzing the terminal access request to acquire a terminal identifier, a time stamp and a first signature result to be verified, which are carried by the terminal access request; performing validity check on the terminal identifier, and after the validity check is passed, calculating the timestamp according to a terminal public key corresponding to the user terminal to obtain a first target signature result; Generating an access success response in response to the first signature result to be verified and the first target signature result being equal, wherein the access success response carries a second signature result to be verified corresponding to the key management platform; And sending the access success response to the user terminal.
  11. 11. The method of claim 10, wherein generating an access success response comprises: Acquiring a random number and generating a root key based on the random number; generating a second signature result to be verified based on a platform private key of the key management platform, the time stamp and the random number; and generating an access success response based on the random number, the root key and the second signature result to be verified.
  12. 12. The method according to claim 11, wherein the method further comprises: Receiving an authentication key request sent by the user terminal, wherein the authentication key request is generated by the user terminal based on a target message authentication code carried in a received navigation message; Decrypting the authentication key request based on a user key corresponding to the user terminal to acquire a target message authentication code carried by the authentication key request, wherein the user key is generated based on the root key and the random number in a computing way, and comprises an encryption key and an integrity key; Obtaining a mapping relation between a candidate message authentication code and a candidate authentication key, and inquiring the mapping relation based on the target message authentication code to determine an authentication key; Encrypting the authentication key based on the user key to generate an authentication key response message, and transmitting the authentication key response message to the user terminal.
  13. 13. The method according to any one of claims 10-12, further comprising: responding to the first signature result to be verified and the first target signature result to be unequal, determining that the terminal access request fails the validity check, and generating an access failure response; And sending the access failure response to the user terminal.
  14. 14. The method according to any one of claims 10-12, further comprising: and receiving a two-way authentication failure response sent by the user terminal, wherein the two-way authentication failure response indicates that the user terminal and the key management platform do not pass two-way identity authentication.
  15. 15. A two-way identity authentication device configured in a user terminal, comprising: The terminal access request at least carries a terminal identifier, a time stamp and a first signature result to be verified, which correspond to the user terminal; the receiving module is used for receiving the access success response sent by the key management platform, analyzing the access success response to obtain a random number carried by the access success response and a second signature result to be verified; The generation module is used for generating a second target signature result based on a platform public key of the key management platform, the time stamp and the random number; and the judging module is used for responding to the second signature result to be verified and the second target signature result to be equal, and determining that the user terminal and the key management platform pass the bidirectional identity authentication.
  16. 16. A two-way identity authentication device configured on a key management platform, comprising: the receiving module is used for receiving a terminal access request sent by the user terminal; the analysis module is used for analyzing the terminal access request and acquiring a terminal identifier, a time stamp and a first signature result to be verified carried by the terminal access request; The calculation module is used for carrying out validity check on the terminal identifier, and after the validity check is passed, calculating the timestamp according to the terminal public key corresponding to the user terminal to obtain a first target signature result; The generation module is used for responding to the fact that the first signature result to be verified is equal to the first target signature result, and generating an access success response, wherein the access success response carries a second signature result to be verified corresponding to the key management platform; And the sending module is used for sending the access success response to the user terminal.
  17. 17. An electronic device, comprising: at least one processor, and A memory communicatively coupled to the at least one processor, wherein, The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-9 or 10-14.
  18. 18. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1-9 or 10-14.
  19. 19. A computer program product comprising a computer program which, when executed by a processor, implements the steps of the method according to any of claims 1-9 or 10-14.

Description

Bidirectional identity authentication method and device Technical Field The application relates to the technical fields of information security and navigation, in particular to a bidirectional identity authentication method and a device thereof. Background Conventional navigation systems rely primarily on one-way authentication to determine the location of a user by receiving satellite signals. This mechanism has significant drawbacks. First, the singleness and susceptibility of the navigation signal makes the user vulnerable to fraud and malicious interference during use. An attacker can lead to positioning errors by transmitting spurious signals and even guide the user to dangerous areas. Second, while conventional systems are relatively powerful in verifying communications between users and satellites, verification of satellite-side identity is relatively weak and lacks effective enhancements. This makes the navigation system vulnerable to attacks by malicious satellites. In addition, one-way authentication may also lead to privacy disclosure of user location information, which may be acquired and misused by malicious third parties during transmission. Disclosure of Invention The disclosure provides a bidirectional identity authentication method and a device thereof, which at least solve the problem that users are easy to be deceptively and maliciously interfered and attacked in the use process in the related technology. The embodiment of the first aspect of the application provides a bidirectional identity authentication method which is executed by a user terminal and comprises the steps of sending a terminal access request to a key management platform, wherein the terminal access request at least carries a terminal identifier, a time stamp and a first signature result to be authenticated, which correspond to the user terminal, receiving an access success response sent by the key management platform, analyzing the access success response to obtain a random number and a second signature result to be authenticated carried by the access success response, generating a second target signature result based on a platform public key, the time stamp and the random number of the key management platform, and determining that the user terminal and the key management platform pass bidirectional identity authentication in response to the fact that the second signature result to be authenticated is equal to the second target signature result. According to one embodiment of the application, a root key is obtained after analyzing the successful response of the access, and after the user terminal and the key management platform pass the bidirectional identity authentication, the method further comprises the steps of generating a user key corresponding to the user terminal based on the root key and the random number, wherein the user key comprises an encryption key and an integrity key, receiving a navigation message, wherein the navigation message at least comprises a target message authentication code and a key to be verified, encrypting the target message authentication code based on the user key and generating an authentication key request according to the encrypted target message authentication code, sending the authentication key request to the key management platform, receiving an authentication key response message sent by the key management platform, and judging whether the navigation message passes the authentication or not based on the authentication key response message and the key to be verified. According to one embodiment of the application, judging whether the navigation message passes authentication or not based on the authentication key response message and the key to be verified comprises decrypting the authentication key response message based on the user key to obtain the authentication key, and determining that the navigation message passes authentication in response to the authentication key being equal to the key to be verified. According to one embodiment of the application, navigation messages within different preset time periods carry different target message authentication codes and different keys to be verified. According to one embodiment of the application, the link time of the bi-directional communication link between the user terminal and the key management platform, and the navigation link corresponding to the user terminal, is kept in synchronization continuously. According to one embodiment of the application, the two-way identity authentication method further comprises the step of receiving an access failure response sent by the key management platform, wherein the access failure response indicates that the access request of the terminal at the key management platform side fails to pass the validity check. According to one embodiment of the application, the two-way identity authentication method further comprises the steps of responding to the fact that the second signature result to b