CN112787813B - Identity authentication method based on trusted execution environment - Google Patents
Identity authentication method based on trusted execution environment Download PDFInfo
- Publication number
- CN112787813B CN112787813B CN202110065687.7A CN202110065687A CN112787813B CN 112787813 B CN112787813 B CN 112787813B CN 202110065687 A CN202110065687 A CN 202110065687A CN 112787813 B CN112787813 B CN 112787813B
- Authority
- CN
- China
- Prior art keywords
- challenge
- identity
- authentication
- key
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 230000004044 response Effects 0.000 claims abstract description 74
- 230000005284 excitation Effects 0.000 claims abstract description 15
- 230000011664 signaling Effects 0.000 claims description 15
- 230000008569 process Effects 0.000 claims description 12
- 230000006870 function Effects 0.000 claims description 3
- 238000010367 cloning Methods 0.000 claims description 2
- 238000002955 isolation Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 210000001367 artery Anatomy 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00563—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys using personal physical data of the operator, e.g. finger prints, retinal images, voicepatterns
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00571—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by interacting with a central unit
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3278—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response using physically unclonable functions [PUF]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an identity authentication method based on a trusted execution environment, which comprises the following steps: generating a random sequence in the TEE as the excitation of the PUF, generating a protection identity key through the PUF, and creating a challenge/response pair bound by the identity key and the PUF; generating a random number in the TEE, carrying out encryption operation on the random number, a storage key and identity ID information, and generating a plurality of challenge/response pairs by the random number and an encryption operation result; the authentication server selects a pair of unused challenge/response pairs from a plurality of challenge/response pairs to send to the TEE in the device for authentication service; the authentication server takes out the identity key ciphertext, compares the identity key ciphertext with the challenge/response pair, if the identity key ciphertext is the challenge/response pair, the authentication is successful, otherwise, the authentication is failed; when there remains at least one unused challenge/response pair on the authentication server, a session update challenge/response pair protected by a session key is required, which is securely transmitted to the authentication server over the channel.
Description
Technical Field
The invention relates to the technical field of information security of mobile equipment, in particular to an identity authentication method based on a trusted execution environment.
Background
The TEE is an abbreviation of trusted execution environment, the current trusted execution environment is mainly a trusted execution environment constructed based on a secure area of a processor in an intelligent terminal (such as a smart phone), the trusted execution environment is an independent execution area and provides many security attributes such as isolation, integrity and the like, meanwhile, the trusted execution environment also ensures the security of codes and data loaded into the trusted execution environment, and the traditional trusted execution environment technology includes TrustZone of ARM and the like.
With the development of the internet of things, more and more internet of things devices need to establish a trusted execution environment to support the security-sensitive services of the internet of things, the authentication of the identity of the internet of things is that an authentication server or other verification terminals complete the confirmation of the identity of the internet of things devices by a certain means to realize the access control of the internet of things devices, at present, the identity confirmation of the internet of things devices is based on a physical unclonable method, secret information is obtained by extracting inevitable manufacturing differences in the manufacturing process, particularly, when a circuit is powered off, the secret information disappears, an attacker cannot obtain the secret information in the circuit by using a traditional attack mode, and a general invasive attack can also destroy the manufacturing differences in the circuit to cause invalid attacks.
Disclosure of Invention
Aiming at the technical problems in the related art, the invention provides an identity authentication method based on a trusted execution environment, and a safe single-chip identity authentication scheme with low cost is established based on a trusted authentication service of TEE, a PUF and a challenge/response mode.
In order to achieve the technical purpose, the technical scheme of the invention is realized as follows: an identity authentication method based on a trusted execution environment, the method comprising the steps of:
s1, generating a random sequence in the TEE as an excitation of a PUF (physical unclonable function), generating a protection identity key through the PUF, and creating a challenge/response pair bound by the identity key and the PUF;
s2, generating a random number in the TEE, performing encryption operation and hash operation on the random number, a storage key and identity ID information, and generating a plurality of challenge/response pairs by the random number and an encryption operation result;
s3, the authentication server selects a pair of unused challenge/response pairs from the plurality of challenge/response pairs to carry out authentication service on the TEE sent to the equipment;
s4, the authentication server takes out the identity key ciphertext, compares the identity key ciphertext with the challenge/response pair, if the identity key ciphertext is the same as the challenge/response pair, the authentication is successful, and otherwise, the authentication is failed;
and S5, updating the challenge/response pair, when at least one unused challenge/response pair remains on the authentication server, needing a session updating challenge/response pair protected by a session key, and safely transmitting the session updating challenge/response pair to the authentication server through a channel.
Further, the S1 creating an identity key further comprises:
s1.1, generating a random sequence in the TEE as an excitation of the PUF, generating a response RSP through the PUF, encrypting an identity key by using the RSP as an AES encryption key, and storing an excitation and encryption model structure on a one-time programming memory OTP to realize the access of the PUF and the AES in the TEE.
Further, generating the challenge/response pair in S2 further comprises:
s2.1, AES encryption is carried out by using RSP as a secret key, a plurality of challenge/response pairs are generated by random numbers and encryption operation results, the generated challenge/response pairs are uploaded to an authentication server, and meanwhile, the authentication server stores equipment identity secret keys and ID equipment information.
Further, the TEE authentication service in S3 further comprises:
s3.1, the TEE authentication service takes out the excitation on the one-time editing memory OTP and inputs the excitation to the PUF; after receiving the excitation of the one-time programmable memory OTP, the PUF responds to the RSP by using the PUF, so that the RSP decrypts the identity key ciphertext on the one-time programmable memory OTP to obtain an identity key;
further, the authentication of the identity key in S3.1 further includes:
5363 the method comprises the steps of encrypting random number, storage key and ID information by S3.1.1, performing AES encryption by using RSP as a key to generate a signaling msg1, encrypting challenge/response and a session key by using the ID information to generate a signaling msg2, and uploading the signaling msg1 and the signaling msg2 to an authentication server.
Further, the authentication of the authentication server and the challenge/response pair in S4 further comprises:
s4.1 if the authentication is successful, the identity key is used for decrypting the signaling msg2, the challenge/response in the decryption result is compared with the authentication server, if the comparison result is equal, the session _ key in the decryption result is valid and is used in the subsequent session, otherwise, the identity key is tampered, and the authentication process is judged to fail.
Further, the updating challenge-response pair in S5 further includes:
s5.1, the challenge/response pairs on the authentication server are updated safely, so that the challenge/response pairs are not repeated, repeated attack is prevented, and the authenticity of the whole authentication process is ensured;
and S5.2, configuring the PUF and the authentication server in the TEE to run, and realizing physical anti-cloning of the storage equipment of the authentication server.
The invention has the beneficial effects that: in view of the defects in the prior art, the method has the following beneficial effects:
1) Safety: the identity key is protected through the PUF, the key copy attack is prevented, the real binding of the key and the equipment is realized through the anti-replay design of response challenge of the PUF, the key is still unavailable due to accidental leakage, or the illegal access of other non-trusted codes on the equipment to the identity key is limited through the trusted execution environment isolation;
2) High performance: the whole protection process is completed in a server equipment interaction process, the method has high practical value, and a safe single-chip identity authentication scheme with low cost is built based on the trusted authentication service of the TEE, the PUF and a challenge/response mode.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a flow chart of an identity authentication method based on a trusted execution environment according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of the present invention.
As shown in fig. 1, an identity authentication method based on a trusted execution environment according to an embodiment of the present invention includes the following steps:
step one, in an initialization stage, protecting an identity key by using a PUF (physical unclonable function), and creating a challenge/response pair bound by the identity key and the PUF;
step two, in the identity authentication stage, the authentication server selects a pair of unused challenge/response pairs from a plurality of challenge/response pairs to send to the TEE in the equipment for authentication service;
and step three, in a challenge/response pair updating stage, the challenge/response pair on the authentication server is updated safely, so that the challenge/response pair is not repeated, and repeated attack is prevented.
In a specific embodiment of the invention, in an initialization stage, a random sequence is generated in the TEE as an excitation of the PUF, a response RSP is generated through the PUF, the RSP is used as an AES encryption key to encrypt an identity key, the excitation and encryption model structure is stored in the OTP, access of the PUF and the AES in the TEE is realized, a random number is generated in the TEE, the random number, the storage key and identity ID information are subjected to encryption operation and hash operation, the RSP is used as a key to perform AES encryption, a plurality of challenge/response pairs are generated by the random number and the encryption operation result, and the generated challenge/response pairs are uploaded to the authentication server, and meanwhile, the authentication server stores a device identity key and ID device information.
In a specific embodiment of the invention, in an identity authentication stage, an authentication server selects a pair of unused challenge/response pairs from a plurality of challenge/response pairs to perform authentication service on a TEE sent to a device, the TEE authentication service takes out and inputs stimuli on a one-time programmable memory OTP to a PUF, the PUF receives the stimuli of the one-time programmable memory OTP, and then uses the PUF to respond to an RSP so that the RSP decrypts an identity key ciphertext on the one-time programmable memory OTP to obtain an identity key, performs encryption operation on a random number, a storage key and identity ID information, uses the RSP as a key to perform AES encryption (RSP, hash, ID _ key, ID)) to generate a signaling msg1, uses the identity ID information to encrypt the challenge/response and a session key (ID _ key, challenge | | session _ key), generates a signaling msg2, and uploads the signaling msg1 and the signaling msg2 to the authentication server;
the authentication server takes out the identity key ciphertext, compares the identity key ciphertext with the challenge/response pair, if the identity key ciphertext and the challenge/response pair are the same, the authentication is successful, otherwise, the authentication is failed, if the authentication is successful, the identity key is used for decrypting the signaling msg2, the challenge/response in the decryption result is compared with the authentication server, if the comparison result is equal, the session _ key in the decryption result is valid and is used in the subsequent session, otherwise, the identity key is tampered, and the authentication process is judged to be failed.
In a specific embodiment of the present invention, in the challenge/response pair updating phase, when at least one unused challenge/response pair remains on the authentication server, a session update challenge/response pair protected by a session key is required, and the session update challenge/response pair is securely transmitted to the authentication server through a channel.
In order to facilitate understanding of the above-described technical aspects of the present invention, the above-described technical aspects of the present invention will be described in detail below in terms of specific usage.
In specific use, the identity authentication method based on the trusted execution environment according to the present invention is applied to the intelligent door lock, and the specific embodiment thereof is described as follows:
1) The intelligent door lock service mainly comprises intelligent door lock equipment and a remote server;
2) The intelligent door lock comprises an identity authentication module (PIN code, intelligent card, fingerprint/human face/palm artery/voiceprint and other biological identification) of a user, a lock opening and closing module, a connection module and an equipment identity authentication module;
3) The remote authentication server consists of equipment authentication service and unlocking service;
the intelligent door lock initialization implementation process comprises the following steps:
1) Burning the initialization program into the equipment chip by using a firmware burning tool, operating the initialization program, encrypting and storing the equipment key and the equipment ID of the intelligent door lock, and uploading related information to the authentication server;
2) Burning the intelligent door lock service program into the equipment chip by using a firmware burning tool;
3) Powering on the door lock, and authenticating the equipment identity authentication program in the door lock through the equipment authentication program of the authentication server;
4) After the authentication is successful, a shared key for encrypted communication is generated in the intelligent door lock local part and the task server, and channel safe transmission is established;
5) The authentication server performs unlocking instruction issuing, PIN code updating and other services through channel secure transmission;
6) The intelligent door lock can perform identity authentication with the task server according to a certain strategy, so that the safety is improved;
7) In the application process of the intelligent door lock, the challenge/response pairs on the authentication server are used for realizing the non-repetition of the challenge/response pairs through the safe updating, so that the repeated attack is prevented, and the anti-replay safety characteristic of the whole authentication process is ensured.
In summary, with the above technical solution of the present invention, the security: the identity key is protected through the PUF, the key copy attack is prevented, the real binding of the key and the equipment is realized through the anti-replay design of response challenge of the PUF, the key is still unavailable due to accidental leakage, or the illegal access of other non-trusted codes on the equipment to the identity key is limited through the trusted execution environment isolation; high performance: the whole protection process is completed in a server device interaction process, the method has high practical value, and a safe single-chip identity authentication scheme with low cost is built based on the trusted authentication service of the TEE, the PUF and a challenge/response mode.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (6)
1. An identity authentication method based on trusted execution environment, characterized in that the method comprises
The method comprises the following steps:
s1, generating a random sequence in the TEE as an excitation of a PUF (physical unclonable function), generating a protection identity key through the PUF, and creating a challenge/response pair bound by the identity key and the PUF;
s2, generating a random number in the TEE, performing encryption operation and hash operation on the random number, a storage key and identity ID information, and generating a plurality of challenge/response pairs by the random number and an encryption operation result;
s3, the authentication server selects a pair of unused challenge/response pairs from the plurality of challenge/response pairs to send the challenge/response pairs to the TEE in the equipment for authentication service;
s4, the authentication server takes out the identity key ciphertext, compares the identity key ciphertext with the challenge/response pair, if the identity key ciphertext is the same as the challenge/response pair, the authentication is successful, and otherwise, the authentication is failed;
and S5, updating the challenge/response pair, and when at least one unused challenge/response pair remains on the authentication server, updating the challenge/response pair through the session protected by the session key, wherein the session update challenge/response pair is safely transmitted to the authentication server through a channel.
2. The trusted execution environment-based identity authentication method of claim 1, wherein the step of S1 creating an identity key further comprises:
s1.1, generating a random sequence in the TEE as an excitation of the PUF, generating a response RSP through the PUF, encrypting an identity key by using the RSP as an AES encryption key, and storing an excitation and encryption model structure on a one-time programming memory OTP to realize the access of the PUF and the AES in the TEE.
3. The trusted execution environment-based identity authentication method of claim 1, wherein the generating of the challenge/response pair in S2 further comprises:
s2.1, AES encryption is carried out by using RSP as a secret key, a plurality of challenge/response pairs are generated by random numbers and encryption operation results, the generated plurality of challenge/response pairs are uploaded to an authentication server, and meanwhile, the authentication server stores equipment identity secret keys and ID equipment information.
4. The trusted execution environment based identity authentication method of claim 1, wherein said S3 TEE authentication service further comprises:
s3.1, the TEE authentication service takes out the excitation on the one-time programmable memory OTP and inputs the excitation to the PUF, and the PUF responds to the RSP after receiving the excitation of the one-time programmable memory OTP, so that the RSP decrypts the identity key ciphertext on the one-time programmable memory OTP to obtain the identity key;
said S3.1 further comprises:
s3.1.1 performs encryption operation on the random number, the storage key and the identity ID information, performs AES encryption by using RSP as a key to generate a signaling msg1, encrypts the challenge/response and the session key by using the identity ID information to generate a signaling msg2, and uploads the signaling msg1 and the signaling msg2 to the authentication server.
5. The trusted execution environment based identity authentication method of claim 4, wherein the S4 further comprises:
s4.1 if the authentication is successful, the identity key is used for decrypting the signaling msg2, the challenge/response in the decryption result is compared with the authentication server, if the comparison result is equal, the session _ key in the decryption result is valid and is used in the subsequent session, otherwise, the identity key is tampered, and the authentication process is judged to fail.
6. The trusted execution environment-based identity authentication method of claim 1, wherein updating the challenge/response pair in S5 further comprises:
s5.1, the challenge/response pairs on the authentication server are updated safely, so that the challenge/response pairs are not repeated, repeated attacks are prevented, and the authenticity of the whole authentication process is ensured;
s5.2, the PUF and the authentication server are configured in the TEE to operate, and physical anti-cloning of the storage device of the authentication server is achieved.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110065687.7A CN112787813B (en) | 2021-01-19 | 2021-01-19 | Identity authentication method based on trusted execution environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110065687.7A CN112787813B (en) | 2021-01-19 | 2021-01-19 | Identity authentication method based on trusted execution environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112787813A CN112787813A (en) | 2021-05-11 |
| CN112787813B true CN112787813B (en) | 2023-03-24 |
Family
ID=75757517
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110065687.7A Active CN112787813B (en) | 2021-01-19 | 2021-01-19 | Identity authentication method based on trusted execution environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112787813B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114039732B (en) * | 2021-11-08 | 2024-01-19 | 中国人民解放军国防科技大学 | Physical layer authentication method, system, equipment and computer readable storage medium |
| CN114257382B (en) * | 2022-01-30 | 2024-06-11 | 支付宝(杭州)信息技术有限公司 | Key management and service processing method, device and system |
| CN114827176B (en) * | 2022-04-08 | 2023-05-09 | 华中科技大学 | A method and system for defending against Sybil attacks in a decentralized storage system |
| CN115801422B (en) * | 2022-11-28 | 2025-08-12 | 国网辽宁省电力有限公司沈阳供电公司 | Electric power Internet of things with complete peer-to-peer credibility and construction method thereof |
| CN116436597B (en) * | 2023-03-06 | 2025-07-11 | 西安电子科技大学 | Smart power grid identity authentication system based on physical unclonable function |
| CN116451188B (en) * | 2023-06-16 | 2023-08-29 | 无锡沐创集成电路设计有限公司 | Software program operation safety protection method, system and storage medium |
| CN118555068B (en) * | 2024-07-29 | 2024-11-19 | 北京微芯区块链与边缘计算研究院 | PUF-based TEE trusted root generation and use method and related device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108449322A (en) * | 2018-02-13 | 2018-08-24 | 环球鑫彩(北京)彩票投资管理有限公司 | Identity registration, authentication method, system and relevant device |
| CN108540442A (en) * | 2018-02-08 | 2018-09-14 | 北京豆荚科技有限公司 | A kind of control method accessing credible performing environment |
| CN108563953A (en) * | 2018-03-26 | 2018-09-21 | 南京微可信信息技术有限公司 | A kind of trusted application development approach of secure extensible |
| CN108768660A (en) * | 2018-05-28 | 2018-11-06 | 北京航空航天大学 | Internet of things equipment identity identifying method based on physics unclonable function |
| CN109040067A (en) * | 2018-08-02 | 2018-12-18 | 广东工业大学 | A kind of user authentication device and authentication method based on the unclonable technology PUF of physics |
| WO2020078804A1 (en) * | 2018-10-17 | 2020-04-23 | Siemens Aktiengesellschaft | Puf based securing of device update |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170288885A1 (en) * | 2016-03-31 | 2017-10-05 | Intel Corporation | System, Apparatus And Method For Providing A Physically Unclonable Function (PUF) Based On A Memory Technology |
| KR102384664B1 (en) * | 2019-06-28 | 2022-04-11 | 한국전자통신연구원 | User device, physical unclonable function based authentication server and operating method thereof |
-
2021
- 2021-01-19 CN CN202110065687.7A patent/CN112787813B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108540442A (en) * | 2018-02-08 | 2018-09-14 | 北京豆荚科技有限公司 | A kind of control method accessing credible performing environment |
| CN108449322A (en) * | 2018-02-13 | 2018-08-24 | 环球鑫彩(北京)彩票投资管理有限公司 | Identity registration, authentication method, system and relevant device |
| CN108563953A (en) * | 2018-03-26 | 2018-09-21 | 南京微可信信息技术有限公司 | A kind of trusted application development approach of secure extensible |
| CN108768660A (en) * | 2018-05-28 | 2018-11-06 | 北京航空航天大学 | Internet of things equipment identity identifying method based on physics unclonable function |
| CN109040067A (en) * | 2018-08-02 | 2018-12-18 | 广东工业大学 | A kind of user authentication device and authentication method based on the unclonable technology PUF of physics |
| WO2020078804A1 (en) * | 2018-10-17 | 2020-04-23 | Siemens Aktiengesellschaft | Puf based securing of device update |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112787813A (en) | 2021-05-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112787813B (en) | Identity authentication method based on trusted execution environment | |
| US10482291B2 (en) | Secure field-programmable gate array (FPGA) architecture | |
| CN106130982B (en) | Intelligent household appliance remote control method based on PKI system | |
| CA2838763C (en) | Credential authentication methods and systems | |
| US7373509B2 (en) | Multi-authentication for a computing device connecting to a network | |
| RU2434352C2 (en) | Reliable authentication method and device | |
| KR102676616B1 (en) | Method and apparatus, computer device, and storage medium for authenticating biometric payment devices | |
| CN109379387B (en) | Safety certification and data communication system between Internet of things equipment | |
| JP6927981B2 (en) | Methods, systems, and devices that use forward secure cryptography for passcode verification. | |
| KR20080020621A (en) | Executing Integrity Protected Secure Stores | |
| CN108494551A (en) | Processing method, system, computer equipment and storage medium based on collaboration key | |
| CN101140605A (en) | Data safe reading method and safe storage device thereof | |
| CN108471352A (en) | Processing method, system, computer equipment based on distributed private key and storage medium | |
| EP3292654B1 (en) | A security approach for storing credentials for offline use and copy-protected vault content in devices | |
| ES2709223T3 (en) | Procedure of using, from a terminal, a user's cryptographic data stored in a database | |
| Murtaza et al. | A portable hardware security module and cryptographic key generator | |
| Kostiainen et al. | Towards user-friendly credential transfer on open credential platforms | |
| CN115171245B (en) | Door lock security authentication method and system based on HCE | |
| US20060053288A1 (en) | Interface method and device for the on-line exchange of content data in a secure manner | |
| CN112422280A (en) | Man-machine control interaction method, interaction system, computer equipment and storage medium | |
| CN110740036A (en) | Anti-attack data confidentiality method based on cloud computing | |
| WO2013138867A1 (en) | Secure nfc apparatus and method | |
| JP5675979B2 (en) | Simplified method for personalizing smart cards and related devices | |
| Lu et al. | Communication security between a computer and a hardware token | |
| CN112184960A (en) | Intelligent lock control method and device, intelligent lock system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |