An identity authentication system based on a certificateless technique and a working method thereof

CN116722987BActive Publication Date: 2026-06-12BEIJING KEDONG ELECTRIC POWER CONTROL SYST CO LTD +1

View PDF 2 Cites 0 Cited by

Patent Information

Authority / Receiving Office: CN · China
Patent Type: Patents(China)
Current Assignee / Owner: BEIJING KEDONG ELECTRIC POWER CONTROL SYST CO LTD
Filing Date: 2023-05-26
Publication Date: 2026-06-12

Application Information

Patent Timeline

26 May 2023

Application

12 Jun 2026

Publication

CN116722987B

IPC: H04L9/32; H04L9/08; H04L9/30

CPC: H04L9/3226; H04L9/0869; H04L9/3247; H04L9/30; Y02D30/70

AI Tagging

Application Domain

Key distribution for secure communicationPublic key for secure communication

Explore More Agents

Novelty Search
Search existing technologies and assess novelty
↗
FTO
Analyze whether a product may infringe others' patents
↗
Design FTO
Check prior-design risk for exterior design
↗
Drafting
Draft patent application text based on a technical solution
↗
Find Solutions with TRIZ
Generate feasible solution to solve your technical challenge
↗

Similar Technology Patents

Get free access to AI patent search and analysis

Check patentability, review prior art and ask IP Agent with full patent context.

AI Technical Summary

⚠Technical Problem

In distributed power systems, existing identity authentication technologies suffer from low authentication efficiency, insufficient security, high risk of key escrow, and limited computing resources of terminal devices. In particular, in scenarios with a large number of distributed generation terminals, certificate management is complex and the identity of the subject cannot be determined solely by the certificate.

⚗Method used

The system employs a certificate-free authentication technology, comprising a terminal SDK, front-end services, a device center, a key center, and a security center. It achieves efficient and secure identity authentication for terminal devices through terminal information collection, identity information generation, and key generation.

🎯Benefits of technology

It reduces authentication steps, improves authentication efficiency and security, reduces key escrow risks, and enables terminal devices to automatically generate private keys, reducing management costs and enhancing the system's native security capabilities.

✦ Generated by Eureka AI based on patent content.

Smart Images

Figure CN116722987B_ABST

Patent Text Reader

Abstract

The application discloses an identity authentication system based on a certificateless technology and a working method thereof, and sets a front service, logically isolates a terminal device from a core service, and can effectively prevent external attacks from damaging the core service while hiding the core service. A terminal ID fusion generation mechanism introduces a random number parameter, increases the difficulty of cracking the terminal ID generation rule by illegal personnel, describes the terminal device from three dimensions of device characteristics, operating system characteristics and communication characteristics, can ensure the uniqueness of the terminal ID, and can effectively prevent events such as card separation and terminal fraud. The application can make up for the problems existing in the certificate system, and enable the distributed power terminal to provide an efficient and safe identity derivation mode in a distributed power supply scene.

Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to an identity authentication system and its working method based on certificate-free technology, belonging to the field of power system information security technology. Background Technology

[0002] Distributed power systems are composed of various types of distributed power generation terminals. The system is large and complex, with strong interconnectivity; a single event can affect the entire system. If a safety fault occurs between the communication center and stations, the impact could potentially spread to the entire power communication system.

[0003] Therefore, information security in distributed power generation terminal communication becomes particularly important. Identity authentication of distributed power generation terminals, as the most crucial link in information security, has the following characteristics:

[0004] (1) The massive number of distributed generation terminals leads to complex PKI certificate management.

[0005] (2) The key escrow mechanism in the PKI system leads to the problem of centralized key storage.

[0006] (3) Some distributed power generation terminals are limited by computing resources, storage resources and other issues, and cannot use certificates for identity authentication.

[0007] Existing identity authentication technologies, such as certificateless public-key cryptography systems and certificate-based authentication, are widely used in various identity authentication fields. However, due to the characteristics of their algorithms, these technologies still have the following shortcomings when applied to the authentication of distributed power generation terminals:

[0008] (1) The identification of the subject is based on certificate information, but the subject identity information in the certificate information is not bound to the subject's own characteristics. That is, it is not possible to determine whether the subject is legitimate by the certificate alone. Other additional information is needed to confirm the subject's identity, such as username, fingerprint, etc.

[0009] (2) In the PKI system, in order to facilitate key management, the private key information of the certificate subject is generally centrally managed in the CA. Therefore, the security of the private key is heavily dependent on the security of the CA organization.

[0010] (3) The certifier needs to perform two calculations to complete the verification work: the first calculation is to verify the validity of the certificate signature, and the second calculation is to verify the validity of the response message.

[0011] (4) In the scenario of distributed power supply for a large number of terminal devices, the CA center approach has certain limitations in terms of certificate generation and storage.

[0012] Therefore, how to improve authentication efficiency while enhancing authentication security is a pressing technical problem that needs to be solved in the identity authentication of distributed power generation terminals. Summary of the Invention

[0013] Objective: In order to overcome the shortcomings of the existing technology, the present invention provides an identity authentication system and its working method based on certificate-free technology, which can make up for the problems of certificate system and enable it to provide an efficient and secure identity derivation method for distributed power terminals in distributed power scenarios.

[0014] Technical solution: To solve the above technical problems, the technical solution adopted by the present invention is as follows:

[0015] Firstly, an identity authentication system based on certificate-free technology includes: a terminal SDK, a front-end service, a device center, and a key center.

[0016] The terminal SDK is responsible for terminal information collection, terminal identity information generation, and authentication.

[0017] The aforementioned front-end service is responsible for the data interaction between the terminal SDK and the back-end service.

[0018] The device center is responsible for the registration and management of terminal devices.

[0019] The key center is responsible for generating KGC parameters and related key information for terminal devices, and for publishing the generated information to the front-end service.

[0020] Furthermore, it also includes a security center, which is responsible for setting security policies and conducting security audits.

[0021] Furthermore, the terminal SDK specifically includes:

[0022] Information collection component: Used to collect terminal information of the terminal device where the terminal SDK is located, including: device information, operating system information, SIM card information; and generate corresponding ID information by hashing the collected terminal information.

[0023] Identity Information Generation Component: This component generates a terminal ID from the ID information and a negotiated random number using an algorithm. It obtains the public parameters `params` from the key center and a portion of the terminal device's private key `PPK` from the front-end service, and generates the terminal device's secret value `xID` using the public parameters `params`, the terminal device's partial private key `PPK`, and the terminal device's terminal ID. It then generates the terminal device's public key `PKID` using the terminal device's secret value `xID`, the public parameters `params`, and the terminal device's terminal ID. Finally, it generates a random message `M` and signs it using the terminal device's secret value `xID`, the public parameters `params`, the terminal device's terminal ID, and the terminal device's partial private key `PPK`, generating a signature for the random message `M`. Finally, it packages the terminal device's public key `PKID`, the random message `M`, and the signature of the random message `M` to generate the terminal device's authentication information `auth`.

[0024] Authentication component: Used to extract the signature of random message M, random message M and the public key PKID of the terminal device from the authentication information auth through the public parameter params. Verify the signature of random message M based on random message M and the public key PKID of the terminal device. If the verification is successful, the authentication is considered successful; if the verification fails, the authentication is considered unsuccessful.

[0025] Furthermore, the aforementioned pre-services specifically include:

[0026] Terminal information collection component: Used to receive the device ID, operating system ID, and SIM card ID information of the terminal device sent by the terminal SDK.

[0027] Key distribution component: Used to distribute public parameters (params) and a portion of the terminal device's private key (PPK).

[0028] Data proxy component: Used to proxy and forward information exchanged between the terminal SDK, device center, and key.

[0029] Furthermore, the equipment center specifically includes:

[0030] Device registration component: Used for device lifecycle management, including at least one of the following: device registration, modification, or deletion.

[0031] Device management component: Used for device status management, including at least one of the following: device online or offline.

[0032] Furthermore, the key center specifically includes:

[0033] Key generation component: Used to generate system keys, including: public parameters params, master key MSK, and partial private key PPK of terminal devices.

[0034] Parameter publishing component: Used to send public parameters (params) and a portion of the terminal device's private key (PPK) to the public network.

[0035] Secondly, a working method for an identity authentication system based on certificate-free technology includes the following steps:

[0036] Step 1: The key center generates publicly available parameters (params) and a private master key (MSK), and publishes the publicly available parameters (params) in the key publishing component of the front-end service.

[0037] Step 2: The device center communicates with the terminal SDKs on terminal device A and terminal device B respectively through the front-end service to obtain the ID information of terminal device A and terminal device B, and registers terminal device A and terminal device B. The device center coordinates with the terminal SDKs on terminal device A and terminal device B to generate terminal IDs for terminal device A and terminal device B, and stores the terminal IDs of terminal device A and terminal device B in the device center.

[0038] Step 3: The key center obtains the terminal IDs of terminal device A and terminal device B from the device center, and generates partial private keys PPK for terminal device A and terminal device B respectively through the algorithm based on the terminal IDs of terminal device A and terminal device B and the master key MSK, and publishes them in the key distribution component of the front-end service.

[0039] Step 4: The terminal SDK on terminal device A obtains the public parameter params and part of the private key PPK of terminal device A from the key distribution component of the front-end service, and generates the secret value xID of terminal device A through the public parameter params, part of the private key PPK of terminal device A, and terminal ID of terminal device A.

[0040] Step 5: The terminal SDK on terminal device A generates the public key PKID of terminal device A using the secret value xID of terminal device A, the public parameter params, and the terminal ID of terminal device A.

[0041] Step 6: The terminal SDK on terminal device A generates a random message M, and signs the random message M using the secret value xID of terminal device A, the public parameter params, the terminal ID of terminal device A, and part of the private key PPK of terminal device A, thus generating the signature of random message M.

[0042] Step 7: The terminal SDK on terminal device A packages the public key PKID of terminal device A, the random message M, and the signature of the random message M to generate the authentication information auth of terminal device A.

[0043] Step 8: The terminal SDK on terminal device B obtains the public parameter params and part of the private key PPK of terminal device B from the key distribution component of the front-end service, and generates the secret value xID of terminal device B using the public parameter params, part of the private key PPK of terminal device B, and terminal ID of terminal device B.

[0044] Step 9: The terminal SDK on terminal device B generates the public key PKID of terminal device B using the secret value xID of terminal device B, the public parameter params, and the terminal ID of terminal device B.

[0045] Step 10: The terminal SDK on terminal device B generates a random message M, and signs the random message M using the secret value xID, public parameter params, terminal ID of terminal device B, and part of the private key PPK of terminal device B, thus generating the signature of random message M.

[0046] Step 11: The terminal SDK on terminal device B packages the public key PKID of terminal device B, random message M, and the signature of random message M to generate the authentication information auth of terminal device B.

[0047] Step 12: The terminal SDK on terminal device A sends the authentication information (auth) of terminal device A to the terminal SDK on terminal device B, and the terminal SDK on terminal device B sends the authentication information (auth) of terminal device B to the terminal SDK on terminal device A.

[0048] Step 13: The terminal SDK on terminal device A extracts the signature information from the authentication information auth of terminal device B and verifies the signature information. If the verification passes, the identity verification is considered successful; if the verification fails, the identity verification is considered unsuccessful.

[0049] Step 14: The terminal SDK on terminal device B extracts the signature information from the authentication information auth of terminal device A and verifies the signature information. If the verification is successful, the identity verification is considered successful; if the verification fails, the identity verification is considered unsuccessful.

[0050] Furthermore, it also includes:

[0051] Step 15: After both terminal device A and terminal device B have passed the other party's verification, terminal device A and terminal device B establish a connection.

[0052] Step 16: If either terminal device A or terminal device B fails to pass the other's verification, terminal device A and terminal device B will close the connection.

[0053] Furthermore, the device center coordinates with the terminal SDKs on terminal device A and terminal device B to generate terminal IDs for terminal device A and terminal device B, specifically including:

[0054] Step a: The terminal SDK collects terminal information from terminal device A and terminal device B, including: device information, operating system information, and SIM card information.

[0055] Step b: The terminal SDK communicates with the device center through the data proxy component of the front-end service. The terminal SDK and the device registration component of the device center negotiate a random number.

[0056] Step c: The terminal SDK generates corresponding IDs from the collected terminal information, namely device ID, operating system ID, and SIM card ID, and uploads the generated three types of IDs to the device registration component.

[0057] Step d: The terminal SDK and device center use an algorithm to generate a terminal ID from the three types of IDs and a random number. The terminal ID serves as the unique identifier for the terminal device.

[0058] Step e: The device registration component transmits the generated terminal ID to the device management component for management.

[0059] Furthermore, step 13 specifically includes:

[0060] The terminal SDK on terminal device A extracts the signature of random message M, random message M, and public key PKID of terminal device B from the authentication information auth of terminal device B through the public parameter params. It then verifies the signature of random message M based on random message M and public key PKID of terminal device B. If the verification is successful, the authentication is considered successful; otherwise, the authentication is considered unsuccessful.

[0061] Furthermore, step 14 specifically includes:

[0062] The terminal SDK on terminal device B extracts the signature of random message M, random message M, and public key PKID of terminal device A from the authentication information auth of terminal device A through the public parameter params. It then verifies the signature of random message M based on random message M and public key PKID of terminal device A. If the verification is successful, the authentication is considered successful; otherwise, the authentication is considered unsuccessful.

[0063] Beneficial Effects: This invention provides an identity authentication system and its working method based on certificate-free technology. It establishes a front-end service, logically isolating terminal devices from core services (device center, key center, etc.). This effectively prevents external attacks from damaging core services while hiding them. The terminal ID fusion generation mechanism, by introducing a random number parameter, increases the difficulty for unauthorized personnel to crack the terminal ID generation rules. Describing the terminal device from three dimensions—device characteristics, operating system characteristics, and communication characteristics—ensures the uniqueness of the terminal ID and effectively prevents events such as SIM card separation and terminal impersonation.

[0064] Compared to existing technologies, its advantages are as follows:

[0065] 1. Identity authentication information is bound to the authentication subject, greatly reducing the authentication steps.

[0066] In certificate-based authentication, the identity information of the authenticator is stored as an attribute within the certificate and does not participate in any calculations. Therefore, certificate-based authentication always requires additional authentication information, such as username and password. In certificate-free authentication, however, the user's identity information is directly involved in the authentication calculations, thus eliminating the need for additional authentication information. For example, using a challenge / response method, the interaction process is reduced by one-third compared to certificate-based authentication.

[0067] 2. A highly automated registration process reduces management costs and improves management efficiency.

[0068] In CA systems, user registration and key acquisition are typically manual processes. Due to confidentiality principles, terminal private keys generally cannot be obtained directly online, and certificates usually need to be manually imported, resulting in low automation. In this invention, the terminal's identity ID, private key, public key, and authentication information are all automatically generated by the terminal SDK, eliminating the need for manual operation and significantly improving efficiency compared to CA solutions.

[0069] 3. A more secure system architecture provides native security capabilities, enabling more effective responses to external attacks.

[0070] This invention sets up a front-end service, where communication and data exchange between the terminal device and the core service are all carried out through the front-end service component. The core service also publishes the data that needs to be shared to the front-end service component for data sharing. The front-end service component logically isolates the terminal and the core service. This architecture can effectively prevent external attacks from damaging the core service, causing service termination or data loss.

[0071] 4. The key center does not provide key escrow services, making its keys more secure compared to the CA system.

[0072] Traditional CA systems typically offer key escrow functionality for convenient key management, meaning they centrally manage terminal private keys to facilitate key recovery. In this invention, the terminal private key is automatically generated by the terminal SDK. When the terminal's authentication information file is lost or becomes unavailable for some reason, the terminal can recover the corresponding authentication information file using saved information or re-register to obtain a new authentication file. The key center does not need to escrow the terminal's keys. Attached Figure Description

[0073] Figure 1 This is a schematic diagram of the overall architecture of the identity authentication system based on certificate-free technology of the present invention.

[0074] Figure 2 This is a schematic diagram of the working method of the identity authentication system based on certificate-free technology of the present invention.

[0075] Figure 3 This is a schematic diagram of the system initialization process of the present invention.

[0076] Figure 4 This is a schematic diagram of the terminal device registration process according to the present invention.

[0077] Figure 5 This is a schematic diagram of the process for generating identification information according to the present invention.

[0078] Figure 6 This is a schematic diagram of the identity authentication process of the present invention.

[0079] Figure 7 This is a schematic diagram illustrating the process of two-way authentication between terminal devices and the security access gateway. Detailed Implementation

[0080] The technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the protection scope of the present invention.

[0081] The present invention will be further described below with reference to specific embodiments.

[0082] like Figure 1 As shown, the first embodiment of an identity authentication system based on certificate-free technology includes: a terminal SDK (Software Development Kit), a front-end service, a device center, a key center, and a security center.

[0083] The terminal SDK, as the main component of the authentication process, is primarily responsible for terminal information collection, terminal identity information generation, and authentication. Specifically, it includes:

[0084] Information collection component: Used to collect terminal information of the terminal device where the terminal SDK is located, including: device information, operating system information, and SIM card information; the collected terminal information is used to generate corresponding ID information through hash algorithm, i.e., hash (device information) -> device ID, hash (operating system information) -> operating system ID, hash (SIM card information) -> SIM card ID.

[0085] Identity information generation component: used to generate terminal ID from ID information, including device ID, operating system ID, SIM card ID, and negotiated random number, through an algorithm.

[0086] The public parameter params of the key center and the partial private key PPK of the terminal device are obtained from the front-end service of the certification center. A temporary variable, namely the secret value xID of the terminal device, is generated by using the public parameter params, the partial private key PPK of the terminal device and the terminal ID of the terminal device.

[0087] The public key PKID of the terminal device is generated using the terminal device's secret value xID, public parameter params, and terminal ID.

[0088] Generate a random message M, and sign the random message M using the terminal device's secret value xID, public parameters params, terminal device's terminal ID, and part of the terminal device's private key PPK to generate the signature of the random message M.

[0089] The terminal device's public key PKID, random message M, and the signature of random message M are packaged together to generate the terminal device's authentication information auth.

[0090] Authentication component: Used to extract the signature of random message M, random message M and the public key PKID of the terminal device from the authentication information auth through the public parameter params. It verifies the signature of random message M based on random message M and the public key PKID of the terminal device. If the verification is successful (signature verification result is VALID), the authentication is considered successful. If the verification fails (signature verification result is INVALID), the authentication is considered unsuccessful.

[0091] The aforementioned front-end service is used for data interaction between the terminal SDK and the back-end service. Specifically, it includes:

[0092] Terminal information collection component: used to receive device ID, operating system ID, and SIM card ID information sent by the terminal SDK.

[0093] Key distribution component: Used to distribute the public parameters (params) generated by the key center and a portion of the private key (PPK) of the terminal device to the public network.

[0094] Data proxy component: Used to forward information exchanged between the terminal SDK and the authentication center, mainly including random number negotiation information and terminal information.

[0095] The device center is responsible for the registration and management of terminal devices. Specifically, it includes:

[0096] Device registration component: Used for device lifecycle management, including device registration, modification, deletion, etc.

[0097] Device management component: Used for device status management, including whether the device is online or offline.

[0098] The key center is responsible for generating KGC (Key Generate Center) parameters and related key information for terminal devices, and publishes the generated information to the front-end service through a parameter publishing component. Specifically, this includes:

[0099] Key generation component: Used to generate system keys, including: public parameters (params), master key (MSK), and a portion of the terminal device's private key (PPK), wherein:

[0100] The public parameter `params` is generated using a random algorithm and is publicly available.

[0101] The master key MSK is generated using a random algorithm and is not disclosed to the public.

[0102] The terminal device's partial private key PPK is generated using an algorithm based on the master key MSK and the terminal ID of the terminal device, and is publicly disclosed.

[0103] Parameter publishing component: Used to send public parameters (params) and a portion of the terminal device's private key (PPK) to the key publishing component of the front-end service.

[0104] The security center is responsible for setting security policies and conducting security audits, including blacklist / whitelist creation and key lifecycle management. Specifically, this includes:

[0105] Policy Center Component: Used to formulate security policies, including communication blacklists / whitelists, key lifecycles, etc.

[0106] Audit Center Component: Used to audit the generation, use, and distribution of system keys, as well as the access status of terminal devices, the login status of personnel, and their operation status.

[0107] like Figure 2As shown, the second embodiment is a method for operating an identity authentication system based on certificate-free technology. The terminal SDK is deployed on terminal device A and terminal device B, respectively, and the front-end service, device center, key center, and security center are deployed on the authentication center. The method includes the following steps:

[0108] like Figure 3 As shown, step 1: The key center generates publicly available parameters params and a private master key MSK, and publishes the publicly available parameters params in the key publishing component of the front-end service.

[0109] like Figure 4 As shown, in step 2: The device center communicates with the terminal SDKs on terminal device A and terminal device B respectively through the front-end service to obtain the ID information of terminal device A and terminal device B, and registers terminal device A and terminal device B. The device center coordinates with the terminal SDKs on terminal device A and terminal device B to generate terminal IDs for terminal device A and terminal device B, and stores the terminal IDs of terminal device A and terminal device B in the device center.

[0110] like Figure 5 As shown, in step 3: the key center obtains the terminal IDs of terminal device A and terminal device B from the device center, and generates partial private keys PPK of terminal device A and terminal device B respectively through the algorithm based on the terminal IDs of terminal device A and terminal device B and the master key MSK, and publishes them in the key distribution component of the front-end service.

[0111] Step 4: The terminal SDK on terminal device A obtains the public parameter params and part of the private key PPK of terminal device A from the key distribution component of the front-end service, and generates the secret value xID of terminal device A through the public parameter params, part of the private key PPK of terminal device A, and terminal ID of terminal device A.

[0112] like Figure 6 As shown, in step 5: the terminal SDK on terminal device A generates the public key PKID of terminal device A using the secret value xID of terminal device A, the public parameter params, and the terminal ID of terminal device A.

[0113] Step 6: The terminal SDK on terminal device A generates a random message M, and signs the random message M using the secret value xID of terminal device A, the public parameter params, the terminal ID of terminal device A, and part of the private key PPK of terminal device A, thus generating the signature of random message M.

[0114] Step 7: The terminal SDK on terminal device A packages the public key PKID of terminal device A, the random message M, and the signature of the random message M to generate the authentication information auth of terminal device A.

[0115] Step 8: The terminal SDK on terminal device B obtains the public parameter params and part of the private key PPK of terminal device B from the key distribution component of the front-end service, and generates the secret value xID of terminal device B using the public parameter params, part of the private key PPK of terminal device B, and terminal ID of terminal device B.

[0116] Step 9: The terminal SDK on terminal device B generates the public key PKID of terminal device B using the secret value xID of terminal device B, the public parameter params, and the terminal ID of terminal device B.

[0117] Step 10: The terminal SDK on terminal device B generates a random message M, and signs the random message M using the secret value xID, public parameter params, terminal ID of terminal device B, and part of the private key PPK of terminal device B, thus generating the signature of random message M.

[0118] Step 11: The terminal SDK on terminal device B packages the public key PKID of terminal device B, random message M, and the signature of random message M to generate the authentication information auth of terminal device B.

[0119] Step 12: The terminal SDK on terminal device A sends the authentication information (auth) of terminal device A to the terminal SDK on terminal device B, and the terminal SDK on terminal device B sends the authentication information (auth) of terminal device B to the terminal SDK on terminal device A.

[0120] Step 13: The terminal SDK on terminal device A extracts the signature information from the authentication information auth of terminal device B and verifies the signature information. If the verification passes, the identity verification is considered successful; if the verification fails, the identity verification is considered unsuccessful.

[0121] Step 14: The terminal SDK on terminal device B extracts the signature information from the authentication information auth of terminal device A and verifies the signature information. If the verification is successful, the identity verification is considered successful; if the verification fails, the identity verification is considered unsuccessful.

[0122] Step 15: After both terminal device A and terminal device B have passed the other party's verification, terminal device A and terminal device B establish a connection.

[0123] Step 16: If either terminal device A or terminal device B fails to pass the other's verification, terminal device A and terminal device B will close the connection.

[0124] Furthermore, in one embodiment, the device center coordinates with the terminal SDKs on terminal device A and terminal device B to generate terminal IDs for terminal device A and terminal device B, specifically including:

[0125] Step a: The terminal SDK collects terminal information from terminal device A and terminal device B, including: device information, operating system information, and SIM card information. The specific content collected is as follows:

[0126] The device information includes: host machine's serial number, MAC address, serial number, IMEI, etc.

[0127] The operating system information includes: operating system type, major version information, minor version information, kernel version, etc.

[0128] The SIM card information includes the SIM card's IMSI information.

[0129] Step b: The terminal SDK communicates with the device center through the data proxy component of the front-end service. The terminal SDK and the device registration component of the device center negotiate a random number.

[0130] Step c: The terminal SDK generates corresponding IDs from the collected terminal information, namely device ID, operating system ID, and SIM card ID, and uploads the generated three types of IDs to the device registration component.

[0131] Step d: The terminal SDK and device center use an algorithm to generate a terminal ID from the three types of IDs and a random number. The terminal ID serves as the unique identifier for the terminal device.

[0132] Step e: The device registration component transmits the generated terminal ID to the device management component for management.

[0133] Furthermore, in one embodiment, the secret value xID is an important parameter in an identity authentication system based on certificateless technology. The generation of the public key and private key of the terminal device is based on the secret value xID. Therefore, during the authentication information generation stage, the generated secret value xID is a temporary variable and will not be permanently stored.

[0134] Furthermore, in one embodiment, step 13 specifically includes:

[0135] The terminal SDK on terminal device A extracts the signature of random message M, random message M, and public key PKID of terminal device B from the authentication information auth of terminal device B through the public parameter params. It then verifies the signature of random message M based on random message M and public key PKID of terminal device B. If the verification is successful, the authentication is considered successful; otherwise, the authentication is considered unsuccessful.

[0136] Furthermore, in one embodiment, step 14 specifically includes:

[0137] The terminal SDK on terminal device B extracts the signature of random message M, random message M, and public key PKID of terminal device A from the authentication information auth of terminal device A through the public parameter params. It then verifies the signature of random message M based on random message M and public key PKID of terminal device A. If the verification is successful, the authentication is considered successful; otherwise, the authentication is considered unsuccessful. Example

[0138] like Figure 7 As shown, an identity authentication system based on certificate-free technology is applied in a distributed power supply scenario. Terminal device A can be a converged terminal, concentrator, remote control device, etc., while terminal device B can securely access a gateway. The secure access gateway connects to the power grid master station and is responsible for the communication connection between terminal device A and the power grid master station. Both terminal devices A and B have terminal SDKs deployed on them. The authentication center connects to terminal devices A and B via a router and is equipped with a front-end service, a device center, a key center, and a security center.

[0139] A two-way authentication method for an identity authentication system based on certificate-free technology between terminal devices and secure access gateways specifically includes:

[0140] The terminal device interacts with the authentication center to obtain the terminal device's secret value xID, public parameters params, terminal ID, and partial private key PPK, and generates a random message M. Finally, the authentication information Authclient of the terminal device is generated using this information.

[0141] The secure access gateway interacts with the authentication center to obtain the secure access gateway's secret value xID, public parameters params, secure access gateway's terminal ID, and a portion of the secure access gateway's private key PPK, and generates a random message M. Finally, it uses this information to generate the secure access gateway's authentication information Authgateway.

[0142] The terminal device sends its authentication information, Authclient, to the secure access gateway for authentication, while the secure access gateway also sends its authentication information, Authgateway, to the terminal for authentication.

[0143] The secure access gateway authenticates the terminal device. If the authentication is successful, a connection is established. If the authentication fails, the current connection is closed, and the gateway waits for the terminal device to initiate authentication. The terminal device also authenticates the secure access gateway. If the authentication is successful, a connection is established. If the authentication fails, the current connection is closed, and the gateway initiates an authentication process with other secure access gateways.

[0144] The above description is only a preferred embodiment of the present invention. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the principle of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.

Claims

1. An identity authentication system based on certificate-free technology, characterized in that: include: Terminal SDK, front-end services, device center, key center; The terminal SDK is responsible for terminal information collection, terminal identity information generation, and authentication. The aforementioned front-end service is responsible for the data interaction between the terminal SDK and the back-end service; The device center is responsible for the registration and management of terminal devices. The key center is responsible for generating KGC parameters and related key information for terminal devices, and for publishing the generated information to the front-end service. The working method of the identity authentication system specifically includes: Step 1: The key center generates publicly available parameters (params) and a private master key (MSK), and publishes the publicly available parameters (params) in the key publishing component of the front-end service; Step 2: The device center communicates with the terminal SDKs on terminal device A and terminal device B through the front-end service to obtain the ID information of terminal device A and terminal device B respectively, and registers terminal device A and terminal device B; the device center coordinates with the terminal SDKs on terminal device A and terminal device B to generate terminal IDs for terminal device A and terminal device B, and saves the terminal IDs of terminal device A and terminal device B in the device center; Step 3: The key center obtains the terminal IDs of terminal device A and terminal device B from the device center, and generates partial private keys PPK for terminal device A and terminal device B respectively based on the terminal IDs and master key MSK, and publishes them in the key distribution component of the front-end service. Step 4: The terminal SDK on terminal device A obtains the public parameter params and a portion of the private key PPK of terminal device A from the key distribution component of the front-end service, and generates the secret value xID of terminal device A using the public parameter params, the portion of the private key PPK of terminal device A, and the terminal ID of terminal device A. Step 5: The terminal SDK on terminal device A generates the public key PKID of terminal device A using the secret value xID of terminal device A, the public parameter params, and the terminal ID of terminal device A. Step 6: The terminal SDK on terminal device A generates a random message M, and signs the random message M using the secret value xID of terminal device A, the public parameter params, the terminal ID of terminal device A, and part of the private key PPK of terminal device A, thus generating the signature of random message M. Step 7: The terminal SDK on terminal device A packages the public key PKID of terminal device A, the random message M, and the signature of the random message M to generate the authentication information auth of terminal device A. Step 8: The terminal SDK on terminal device B obtains the public parameter params and part of the private key PPK of terminal device B from the key distribution component of the front-end service, and generates the secret value xID of terminal device B through the public parameter params, part of the private key PPK of terminal device B, and terminal ID of terminal device B. Step 9: The terminal SDK on terminal device B generates the public key PKID of terminal device B using the secret value xID, public parameter params, and terminal ID of terminal device B. Step 10: The terminal SDK on terminal device B generates a random message M, and signs the random message M using the secret value xID, public parameter params, terminal ID of terminal device B, and part of the private key PPK of terminal device B, thus generating the signature of random message M. Step 11: The terminal SDK on terminal device B packages the public key PKID of terminal device B, random message M, and the signature of random message M to generate the authentication information auth of terminal device B. Step 12: The terminal SDK on terminal device A sends the authentication information (auth) of terminal device A to the terminal SDK on terminal device B, and the terminal SDK on terminal device B sends the authentication information (auth) of terminal device B to the terminal SDK on terminal device A. Step 13: The terminal SDK on terminal device A extracts the signature information from the authentication information auth of terminal device B and verifies the signature information. If the verification is successful, the identity verification is considered successful; if the verification fails, the identity verification is considered unsuccessful. Step 14: The terminal SDK on terminal device B extracts the signature information from the authentication information auth of terminal device A and verifies the signature information. If the verification is successful, the identity verification is considered successful; if the verification fails, the identity verification is considered unsuccessful.

2. The identity authentication system based on certificateless technology according to claim 1, characterized in that: Also includes: The security center is responsible for setting security policies and conducting security audits.

3. An identity authentication system based on certificateless technology according to claim 1 or 2, characterized in that: The terminal SDK specifically includes: Information collection component: Used to collect terminal information of the terminal device where the terminal SDK is located, including: device information, operating system information, SIM card information; and generate corresponding ID information from the collected terminal information through a hash algorithm; Identity information generation component: This component generates a terminal ID from the ID information and a negotiated random number using an algorithm; it obtains the public parameters `params` from the key center and a portion of the terminal device's private key `PPK` from the front-end service, and generates the terminal device's secret value `xID` using the public parameters `params`, the terminal device's partial private key `PPK`, and the terminal device's terminal ID; it generates the terminal device's public key `PKID` using the terminal device's secret value `xID`, the public parameters `params`, and the terminal device's terminal ID; it generates a random message `M`, and signs the random message `M` using the terminal device's secret value `xID`, the public parameters `params`, the terminal device's terminal ID, and the terminal device's partial private key `PPK`, generating the signature of the random message `M`; finally, it packages the terminal device's public key `PKID`, the random message `M`, and the signature of the random message `M` to generate the terminal device's authentication information `auth`. Authentication component: Used to extract the signature of random message M, random message M and the public key PKID of the terminal device from the authentication information auth through the public parameter params. Verify the signature of random message M based on random message M and the public key PKID of the terminal device. If the verification is successful, the authentication is considered successful; if the verification fails, the authentication is considered unsuccessful.

4. An identity authentication system based on certificateless technology according to claim 1 or 2, characterized in that: The aforementioned pre-services specifically include: Terminal information collection component: used to receive the terminal device ID, operating system ID, and SIM card ID information sent by the terminal SDK; Key distribution component: used to distribute public parameters (params) and a portion of the terminal device's private key (PPK); Data proxy component: Used to proxy and forward information exchanged between the terminal SDK, device center, and key.

5. An identity authentication system based on certificateless technology according to claim 1 or 2, characterized in that: The equipment center specifically includes: Device registration component: Used for device lifecycle management, including at least one of the following: device registration, modification, or deletion; Device management component: Used for device status management, including at least one of the following: device online or offline.

6. An identity authentication system based on certificateless technology according to claim 1 or 2, characterized in that: The key center specifically includes: Key generation component: used to generate system keys, including: public parameters params, master key MSK and partial private key PPK of terminal devices; Parameter publishing component: Used to send public parameters (params) and part of the terminal device's private key (PPK) to the public network side.

7. A working method for an identity authentication system based on certificate-free technology, characterized in that: Includes the following steps: Step 1: The key center generates publicly available parameters (params) and a private master key (MSK), and publishes the publicly available parameters (params) in the key publishing component of the front-end service; Step 2: The device center communicates with the terminal SDKs on terminal device A and terminal device B through the front-end service to obtain the ID information of terminal device A and terminal device B respectively, and registers terminal device A and terminal device B; the device center coordinates with the terminal SDKs on terminal device A and terminal device B to generate terminal IDs for terminal device A and terminal device B, and saves the terminal IDs of terminal device A and terminal device B in the device center; Step 3: The key center obtains the terminal IDs of terminal device A and terminal device B from the device center, and generates partial private keys PPK for terminal device A and terminal device B respectively based on the terminal IDs and master key MSK, and publishes them in the key distribution component of the front-end service. Step 4: The terminal SDK on terminal device A obtains the public parameter params and a portion of the private key PPK of terminal device A from the key distribution component of the front-end service, and generates the secret value xID of terminal device A using the public parameter params, the portion of the private key PPK of terminal device A, and the terminal ID of terminal device A. Step 5: The terminal SDK on terminal device A generates the public key PKID of terminal device A using the secret value xID of terminal device A, the public parameter params, and the terminal ID of terminal device A. Step 6: The terminal SDK on terminal device A generates a random message M, and signs the random message M using the secret value xID of terminal device A, the public parameter params, the terminal ID of terminal device A, and part of the private key PPK of terminal device A, thus generating the signature of random message M. Step 7: The terminal SDK on terminal device A packages the public key PKID of terminal device A, the random message M, and the signature of the random message M to generate the authentication information auth of terminal device A. Step 8: The terminal SDK on terminal device B obtains the public parameter params and part of the private key PPK of terminal device B from the key distribution component of the front-end service, and generates the secret value xID of terminal device B through the public parameter params, part of the private key PPK of terminal device B, and terminal ID of terminal device B. Step 9: The terminal SDK on terminal device B generates the public key PKID of terminal device B using the secret value xID, public parameter params, and terminal ID of terminal device B. Step 10: The terminal SDK on terminal device B generates a random message M, and signs the random message M using the secret value xID, public parameter params, terminal ID of terminal device B, and part of the private key PPK of terminal device B, thus generating the signature of random message M. Step 11: The terminal SDK on terminal device B packages the public key PKID of terminal device B, random message M, and the signature of random message M to generate the authentication information auth of terminal device B. Step 12: The terminal SDK on terminal device A sends the authentication information (auth) of terminal device A to the terminal SDK on terminal device B, and the terminal SDK on terminal device B sends the authentication information (auth) of terminal device B to the terminal SDK on terminal device A. Step 13: The terminal SDK on terminal device A extracts the signature information from the authentication information auth of terminal device B and verifies the signature information. If the verification is successful, the identity verification is considered successful; if the verification fails, the identity verification is considered unsuccessful. Step 14: The terminal SDK on terminal device B extracts the signature information from the authentication information auth of terminal device A and verifies the signature information. If the verification is successful, the identity verification is considered successful; if the verification fails, the identity verification is considered unsuccessful.

8. The working method according to claim 7, characterized in that: Also includes: Step 15: After both terminal device A and terminal device B have passed the other party's verification, terminal device A and terminal device B establish a connection; Step 16: If either terminal device A or terminal device B fails to pass the other's verification, terminal device A and terminal device B will close the connection.

9. The working method according to claim 7 or 8, characterized in that: The device center coordinates with the terminal SDKs on terminal device A and terminal device B to generate terminal IDs for terminal device A and terminal device B, specifically including: Step a: The terminal SDK collects terminal information from terminal device A and terminal device B, including: device information, operating system information, and SIM card information; Step b: The terminal SDK communicates with the device center through the data proxy component of the front-end service. The terminal SDK and the device registration component of the device center negotiate a random number. Step c: The terminal SDK generates corresponding IDs from the collected terminal information, namely device ID, operating system ID, and SIM card ID, and uploads the generated three types of IDs to the device registration component; Step d: The terminal SDK and device center use an algorithm to generate a terminal ID from the three types of IDs and a random number. The terminal ID serves as the unique identifier for the terminal device. Step e: The device registration component transmits the generated terminal ID to the device management component for management.

10. The working method according to claim 7 or 8, characterized in that: Step 13 specifically includes: The terminal SDK on terminal device A extracts the signature of random message M, random message M, and public key PKID of terminal device B from the authentication information auth of terminal device B through the public parameter params. It then verifies the signature of random message M based on random message M and public key PKID of terminal device B. If the verification is successful, the authentication is considered successful; otherwise, the authentication is considered unsuccessful.

11. The working method according to claim 7 or 8, characterized in that: Step 14 specifically includes: The terminal SDK on terminal device B extracts the signature of random message M, random message M, and public key PKID of terminal device A from the authentication information auth of terminal device A through the public parameter params. It then verifies the signature of random message M based on random message M and public key PKID of terminal device A. If the verification is successful, the authentication is considered successful; otherwise, the authentication is considered unsuccessful.