Disclosure of Invention
The technical problem to be solved by the invention is to provide an RFID authentication method, wherein a server and a reader communicate in a block grid, and each server in the block grid only responds to an authentication request transaction corresponding to a first server serial number which is the same as the serial number of the server, so that decentralization is realized, and the efficiency of RFID authentication is improved.
The invention also provides an RFID authentication device for ensuring the realization and application of the method in practice.
An RFID authentication method is applied to a server, and the method comprises the following steps:
when an authentication request transaction sent by a reader is monitored, verifying signature information in the authentication request transaction by using a pre-acquired reader public key corresponding to the reader;
when the verification is passed, acquiring a hash pointer pointing to the last request transaction in the authentication request transaction, and judging whether the authentication request transaction is the latest transaction of the reader or not according to the hash pointer pointing to the last request transaction;
if the authentication request transaction is the latest transaction of the reader, acquiring a first server serial number in the authentication request transaction;
judging whether the first server serial number is consistent with the self serial number of the server;
if the authentication request information and the reader random number are consistent, acquiring the authentication request information and the reader random number in the authentication request transaction, and judging whether a label identity information corresponding to the authentication request information and the reader random number, a label identity information corresponding to the label identity information and a secret value corresponding to the label identity information exist in a pre-constructed database; the secret value is a first secret value or a second secret value, and a plurality of label identity information, and a first secret value and a second secret value corresponding to each label identity information are stored in the database;
if the authentication request information, the reader random number, the corresponding tag identity information and the secret value corresponding to the tag identity information exist in the pre-constructed database, judging whether the reader requests the same tag identity information and the secret value corresponding to the tag identity information;
if the reader does not request the same tag identity information and the secret value corresponding to the tag identity information, generating authentication response information according to the tag identity information and the secret value corresponding to the tag identity information, and generating an authentication response transaction corresponding to the authentication request transaction according to the authentication response information;
and broadcasting the authentication response transaction to other servers and the reader, and updating the secret value corresponding to the tag identity information in the database according to the timestamp in the authentication request information.
Optionally, the updating the secret value corresponding to the tag identity information in the database includes:
judging whether the secret value corresponding to the tag identity information is a second secret value in the database or not according to a timestamp in the authentication request information;
if the secret value corresponding to the tag identity information is a second secret value in the database, performing hash calculation on the tag identity information and a second secret value corresponding to the tag identity information according to a preset first hash calculation formula to obtain a new second secret value, updating the second secret value into a new second secret value, and updating the first secret value in the database into the second secret value;
and if the secret value corresponding to the tag identity information is not the second secret value in the database, performing hash calculation on the tag identity information and the secret value corresponding to the tag identity information according to a preset first hash calculation formula to obtain a new second secret value, and updating the second secret value in the database to the new second secret value.
The above method, optionally, further includes:
when authentication response transactions of other servers are monitored, traversing the pre-constructed database, and judging whether label identity information corresponding to the authentication response transactions of the other servers and a secret value corresponding to the label identity information exist in the database;
and if the authentication response transaction does not exist, correspondingly updating the pre-constructed database according to the tag identity information in the authentication response transaction of the other server and the secret value corresponding to the tag identity information.
Optionally, the method further includes, before acquiring the authentication request information in the authentication request transaction, that:
judging whether a hash pointer pointing to the last request transaction in the authentication request transaction is consistent with a hash pointer pointing to the last request transaction, which is stored in advance and corresponds to the reader;
if the two-flower attacks are consistent, the reader is judged to have the double-flower attack, and the authentication request transaction responding to the reader is refused.
An RFID authentication device applied to a server, the device comprising:
the verification unit is used for verifying signature information in the authentication request transaction by using a pre-acquired reader public key corresponding to the reader when the authentication request transaction sent by the reader is monitored;
the first judgment unit is used for acquiring a hash pointer pointing to the last request transaction in the authentication request transaction when the authentication is passed, and judging whether the authentication request transaction is the latest transaction of the reader or not according to the hash pointer pointing to the last request transaction;
the first acquisition unit is used for acquiring a first server serial number in the authentication request transaction if the authentication request transaction is the latest transaction of the reader;
a second judging unit, configured to judge whether the first server serial number is consistent with a self serial number of the server;
a third judging unit, configured to, if the authentication request information and the reader random number are consistent, obtain authentication request information and a reader random number in the authentication request transaction, and judge whether a secret value corresponding to the tag identity information and tag identity information, corresponding to the authentication request information and the reader random number, exist in a pre-constructed database; the secret value comprises a first secret value or a second secret value, a plurality of label identity information, and a first secret value and a second secret value corresponding to each label identity information are stored in the database;
a fourth determining unit, configured to determine whether the reader has requested the same tag identity information and a secret value corresponding to the tag identity information if the tag identity information corresponding to the authentication request information and the secret value corresponding to the tag identity information exist in the pre-constructed database;
a first generating unit, configured to generate authentication response information according to the tag identity information and a secret value corresponding to the tag identity information if the same tag identity information and a secret value corresponding to the tag identity information are not requested by the reader, and generate an authentication response transaction corresponding to the authentication request transaction according to the authentication response information;
and the first updating unit is used for broadcasting the authentication response transaction to each server and the reader and updating the secret value corresponding to the tag identity information in the database according to the time stamp in the authentication request information.
An RFID authentication method is applied to a reader, and comprises the following steps:
sending a communication request to the tag; the communication request comprises a reader random number which is randomly generated;
when an authentication request corresponding to the communication request fed back by the tag is received, acquiring authentication request information in the authentication request;
performing hash calculation on the authentication request information according to a preset second hash calculation formula to obtain a hash value of the authentication request information, and performing modulo operation on the hash value of the authentication request information and the total number of the servers obtained in advance to obtain a first numerical value;
judging whether a server serial number corresponding to the first numerical value exists in a pre-constructed requested server list or not;
if the first numerical value does not exist, determining the first numerical value as a first server serial number, and storing the first server serial number into the requested server list;
signing the hash value of the authentication request information by using a preset reader private key to obtain signature information corresponding to the authentication request information and obtain a hash pointer pointing to the last request transaction of the reader;
generating an authentication request transaction corresponding to the authentication request according to the hash pointer pointing to the last request transaction, the authentication request information, the reader random number, the first server serial number and the signature information, and broadcasting the authentication request transaction to each server;
judging whether an authentication response transaction corresponding to the authentication request transaction is monitored within a preset time;
if the authentication response transaction corresponding to the authentication request transaction is monitored within the preset time, the authentication response information in the authentication response transaction is extracted, and the authentication response information is sent to the tag.
Optionally, the method further includes, in the determining, whether the authentication response transaction corresponding to the authentication request transaction is monitored within a preset time, that:
and if the authentication response transaction corresponding to the authentication request transaction is not received within the preset time, sending the communication request to the tag again.
An RFID authentication device applied to a reader, the device comprising:
a request unit for sending a communication request to the tag; the communication request comprises a reader random number which is randomly generated;
the second acquisition unit is used for acquiring authentication request information in the authentication request when receiving the authentication request corresponding to the communication request fed back by the label;
the computing unit is used for carrying out Hash computation on the authentication request information according to a preset second Hash computation formula to obtain a Hash value of the authentication request information, and carrying out modular operation on the Hash value of the authentication request information and the total number of the servers obtained in advance to obtain a first numerical value;
a fifth judging unit, configured to judge whether a server serial number corresponding to the first numerical value exists in a pre-constructed requested server list;
the storage unit is used for determining the first numerical value as a first server serial number if the first numerical value does not exist, and storing the first server serial number into the requested server list;
the signature unit is used for signing the hash value of the authentication request information by using a preset reader private key, obtaining signature information corresponding to the authentication request information and obtaining a hash pointer of the reader pointing to the last request transaction;
a second generating unit, configured to generate an authentication request transaction corresponding to the authentication request according to the hash pointer pointing to the previous request transaction, the authentication request information, the reader random number, the first server serial number, and the signature information, and broadcast the authentication request transaction to each server;
a sixth judging unit, configured to judge whether an authentication response transaction corresponding to the authentication request transaction is monitored within a preset time;
and the first sending unit is used for extracting authentication response information in the authentication response transaction and sending the authentication response information to the tag if the authentication response transaction corresponding to the authentication request transaction is monitored within preset time.
An RFID authentication method applied to a tag, the method comprising:
when a communication request of a reader is received, a random number of the reader in the communication request is obtained;
acquiring a timestamp of the tag, tag identity information and a secret value of the tag, generating authentication request information according to the timestamp, the tag identity information and the secret value of the tag and the random number of the reader, and sending an authentication request to the reader based on the authentication request information;
when authentication response information corresponding to the authentication request fed back by the reader is received, a secret value corresponding to the tag identity information in the authentication response information is obtained;
comparing a secret value corresponding to the tag identity information in the authentication response information with a secret value of the tag;
and if the comparison is consistent, performing hash calculation on the tag identity information of the tag and the secret value of the tag through authentication of the reader and establishment of communication with the reader and a preset third hash calculation formula to obtain a new secret value of the tag, and updating the secret value of the tag to the new secret value of the tag.
An RFID authentication device applied to a tag, the device comprising:
the third acquisition unit is used for acquiring the random number of the reader in the communication request when the communication request of the reader is received;
a second sending unit, configured to obtain a timestamp of the tag, tag identity information and a secret value of the tag, generate authentication request information according to the timestamp, the tag identity information and the secret value of the tag, and the reader random number, and send an authentication request to the reader based on the authentication request information;
a fourth obtaining unit, configured to obtain, when receiving authentication response information corresponding to the authentication request and fed back by the reader, a secret value corresponding to the tag identity information in the authentication response information;
the comparison unit is used for comparing a secret value corresponding to the label identity information in the authentication response information with a secret value of the label;
and the second updating unit is used for carrying out hash calculation on the tag identity information of the tag and the secret value of the tag through a preset third hash calculation formula to obtain a new secret value of the tag and updating the secret value of the tag into the new secret value of the tag if the comparison is consistent.
Compared with the prior art, the invention has the following advantages:
the invention provides an RFID authentication method, which comprises the following steps: when the server monitors that the authentication request transaction broadcasted by the reader exists in the block lattice, the server firstly judges whether the format of the authentication request transaction is correct, namely whether the signature information of the authentication request transaction is correct and whether the authentication request transaction is the latest transaction of the reader, if the format of the authentication request transaction is correct, whether the serial number of a first server of the authentication request transaction is consistent with the serial number of the server, if so, the authentication request transaction is the response of the server, and when the tag identity information corresponding to the authentication request information and the random number of the reader in the authentication request transaction and the secret value corresponding to the tag identity information exist in the database, the database is traversed to judge whether the reader has requested the tag identity information corresponding to the current authentication request information and the secret value corresponding to the tag identity information, and if not, generating authentication response information corresponding to the authentication request information, generating an authentication response transaction according to the authentication response information, broadcasting the authentication response transaction to the reader and other servers to realize synchronization of all servers in the block lattice, and updating a secret value corresponding to the tag identity information in the database according to a timestamp in the authentication request information. By applying the RFID authentication method provided by the invention, the servers and the reader communicate in the block grids, and each server in the block grids only responds to the authentication request transaction corresponding to the first server serial number which is the same as the serial number of the server, so that decentralization is realized, and the efficiency of RFID authentication is improved.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention is operational with numerous general purpose or special purpose computing device environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multi-processor apparatus, distributed computing environments that include any of the above devices or equipment, and the like.
The server and the reader provided by the embodiment of the invention communicate through the block lattice, the block lattice is a directed acyclic graph data structure in a block chain technology, and compared with the traditional block chain technology, the block lattice structure can process transactions in parallel and has the characteristics of high throughput and high delay tolerance.
The embodiment of the invention provides an RFID authentication method, which can be applied to various system platforms, wherein an execution main body of the method can be a server, and a flow chart of the RFID authentication method is shown in figure 1 and specifically comprises the following steps:
s101: judging whether the signature information in the authentication request transaction is correct or not;
in the method provided by the embodiment of the invention, when the authentication request transaction sent by the reader is monitored, the signature information in the authentication request transaction is verified to be correct by using the pre-acquired reader public key corresponding to the reader, if the signature information is verified to be correct, the step S102 is executed, and if the signature information is verified to be incorrect, namely the verification is not passed, the transaction is ended.
S102: judging whether the authentication request transaction is the latest transaction of the reader;
in the method provided by the embodiment of the invention, when the server passes signature authentication of the authentication request transaction, the hash pointer pointing to the last request transaction in the authentication request transaction is obtained, whether the authentication request transaction is the latest transaction of the reader is judged according to the hash pointer pointing to the last request transaction, if the authentication request transaction is the latest transaction of the reader, the step S103 is executed, and if the authentication request transaction is not the latest transaction of the reader, the transaction is ended.
It should be noted that, the signature information of the authentication request transaction and whether the transaction is the latest transaction are verified, and whether the format of the transaction is correct is verified, when the signature information in the authentication request transaction is correct and the transaction is the latest transaction of the reader, the format of the authentication request transaction is determined to be correct and passes the verification, otherwise, the format of the authentication request transaction is determined to be incorrect and the transaction is discarded.
It should be noted that the reader stores a hash pointer for each transaction, and the current transaction must be concatenated to the latest transaction.
S103: acquiring a first server serial number in an authentication request transaction;
in the method provided by the embodiment of the invention, if the authentication request transaction is the latest transaction of the reader, the first server serial number in the authentication request transaction is acquired.
S104: judging whether the sequence number of the first server is consistent with the sequence number of the server;
in the method provided by the embodiment of the invention, whether the first server serial number is consistent with the self serial number of the server is judged according to the acquired first server serial number, namely whether the authentication request transaction requires the self-response of the server is checked, if the first server serial number is consistent with the self serial number of the server, the authentication request transaction requires the self-response of the server, and the step S105 is executed; and if the first server serial number is consistent with the self serial number of the server, the authentication transaction request does not require the self response of the server, and the transaction is ended.
S105: judging whether label identity information corresponding to the authentication request information and the random number of the reader and a secret value corresponding to the label identity information exist in a pre-constructed database;
in the method provided by the embodiment of the invention, the database of the server stores the tag identity information, and a first secret value and a second secret value corresponding to the tag identity information, wherein optionally, the first secret value is an old secret value, and the second secret value is a new secret value; if the first server serial number is consistent with the server self serial number, acquiring authentication request information in the authentication request transaction, acquiring a reader random number in the authentication request, judging whether label identity information corresponding to the authentication request information and the reader random number and a secret value corresponding to the label identity information exist in a pre-constructed database according to the authentication request information and the reader random number, if so, executing the step S106, otherwise, ending the transaction.
S106: judging whether the same label identity information and a secret value corresponding to the label identity information are requested by the reader;
in the method provided by the embodiment of the invention, the database of the server stores the requested tag identity information corresponding to the reader and the secret value corresponding to the tag identity information, if traversing the database, finding the tag identity information corresponding to the current authentication request information of the reader and the secret value corresponding to the tag identity information, then determining that the reader has requested the same tag identity information and the secret value corresponding to the tag identity, and ending the transaction, if not finding the tag identity information corresponding to the current authentication request information of the reader and the secret value corresponding to the tag identity information, then determining that the reader has not requested the same tag identity information and the secret value corresponding to the tag identity information, and storing the tag identity information corresponding to the reader and the secret value corresponding to the tag identity information into the database, and performs step S107.
S107: generating an authentication response transaction;
in the method provided by the embodiment of the invention, when the reader does not request the same tag identity information and the secret value corresponding to the tag identity information, authentication response information is generated according to the tag identity information stored in the server and the secret value corresponding to the tag identity information, and authentication response transaction is generated according to the authentication response information.
S108: and broadcasting the authentication response transaction to the reader and other servers, and updating a secret value corresponding to the tag identity information in the database.
In the method provided by the embodiment of the invention, the authentication response transaction is broadcasted to the block lattice, namely to the reader and other servers, so as to realize the synchronization of the servers; and updating a secret value corresponding to the tag identity information in the database according to the timestamp in the authentication request information.
When the server monitors that the authentication request transaction broadcasted by the reader exists in the block lattice, the server firstly judges whether the format of the authentication request transaction is correct, namely whether the signature information of the authentication request transaction is correct and whether the authentication request transaction is the latest transaction of the reader, if the format of the authentication request transaction is correct, whether the serial number of a first server of the authentication request transaction is consistent with the serial number of the server, if so, the authentication request transaction is the response of the server, and when label identity information corresponding to the authentication request information and the random number of the reader in the authentication request transaction and a secret value corresponding to the label identity information exist in the database, the database judges whether the reader requests label identity information corresponding to the current authentication request information and a secret value corresponding to the label identity information, if the request is passed, the reader is judged to have malicious packet loss, the transaction is ended, if the request is not passed, authentication response information corresponding to the authentication request information is generated, authentication response transaction is generated according to the authentication response information, the authentication response transaction is broadcasted to the reader and other servers, so that synchronization of all servers in the block lattices is realized, and the secret value corresponding to the tag identity information in the database is updated according to the timestamp in the authentication request information. By applying the RFID authentication method provided by the embodiment of the invention, the servers and the reader communicate in the block grid, and each server in the block grid only responds to the authentication request transaction corresponding to the first server serial number which is the same as the serial number of the server, so that decentralization is realized, and the efficiency of RFID authentication is improved.
The above embodiment of the present invention, regarding step S108 disclosed in fig. 1, updating the secret value corresponding to the tag identity information in the database, includes the following steps:
judging whether the secret value corresponding to the tag identity information is a second secret value in the database or not according to a timestamp in the authentication request information;
if the secret value corresponding to the tag identity information is a second secret value in the database, performing hash calculation on the tag identity information and a second secret value corresponding to the tag identity information according to a preset first hash calculation formula to obtain a new second secret value, updating the second secret value into a new second secret value, and updating the first secret value in the database into the second secret value;
and if the secret value corresponding to the tag identity information is not the second secret value, performing hash calculation on the tag identity information and the secret value corresponding to the tag identity information according to a preset first hash calculation formula to obtain a new second secret value, and updating the second secret value to the new second secret value.
In the RFID authentication method provided in the embodiment of the present invention, the secret value of the tag is continuously updated, if the authentication is successful and the secret value is updated in each authentication process, if the authentication is failed, that is, the server feeds back an authentication response transaction, but the reader has a malicious packet loss and does not send the authentication response information to the tag, the secret value of the tag is not updated, but the server does not know whether the tag is successfully updated, so the server stores two secret values corresponding to the identity information of each tag, that is, the first secret value and the second secret value, and can determine whether the secret value corresponding to the authentication request information is the second secret value according to the timestamp in the authentication request information, if the secret value corresponding to the authentication request information is the second secret value, the current secret value representing the tag is updated to be the same as the second secret value, the server updates the first secret value to the second secret value, and performing hash calculation on the tag identity information and the second secret value according to a preset first hash calculation formula to obtain a new second secret value, and updating the second secret value into the new second secret value.
If the secret value corresponding to the authentication request information is the first secret value, the current secret value of the tag is represented to be the secret value same as the first secret value, the server performs hash calculation on the tag identity information and the secret value corresponding to the tag identity information through a preset first hash calculation formula to obtain a new second secret value, the second secret value is updated to be the new second secret value, and the first secret value is kept unchanged.
The above-mentioned process of updating the secret value corresponding to the tag identity information in the database is exemplified as follows:
in a database of a server, if a is a first secret value and B is a second secret value, performing hash calculation on the tag identity information and the second secret value according to a preset first hash calculation formula if the secret value corresponding to the authentication request information is the second secret value to obtain a new second secret value, updating the second secret value to the new second secret value, and updating the first secret value in the database to the second secret value, that is, after the updating, a is the second secret value and B is the new second secret value;
and if the secret value corresponding to the authentication request information is the first secret value, performing hash calculation on the tag identity information and the first secret value according to a preset first hash calculation formula to obtain a new second secret value, and updating the second secret value into the new second secret value, wherein the first secret value is kept unchanged, namely after the updating, A is the first secret value, and B is the new second secret value.
The steps disclosed in fig. 1 of the above embodiment of the present invention further include the following steps:
when authentication response transactions of other servers are monitored, traversing the pre-constructed database, and judging whether label identity information corresponding to the authentication response transactions of the other servers and a secret value corresponding to the label identity information exist in the database;
and if the authentication response transaction does not exist, correspondingly updating the pre-constructed database according to the tag identity information in the authentication response transaction of the other server and the secret value corresponding to the tag identity information.
In the RFID authentication method provided in the embodiment of the present invention, a server in a block structure may process multiple transactions in parallel, and when an authentication response transaction broadcast by another server is monitored, it is determined whether a pre-established database exists, tag identity information corresponding to the authentication response transaction broadcast by another server, and a secret value corresponding to the tag identity information, and if the pre-established database exists, the authentication response transaction is ignored, and if the pre-established database does not exist, the tag identity information in the database and the secret value corresponding to the tag identity information are updated correspondingly according to the tag identity information in the authentication response transaction and the secret value corresponding to what information the tag exists.
Before step S105 disclosed in fig. 1, the embodiment of the present invention further includes the following steps:
judging whether a hash pointer pointing to the last request transaction in the authentication request transaction is consistent with a hash pointer pointing to the last request transaction, which is stored in advance and corresponds to the reader;
if the two-flower attacks are consistent, the reader is judged to have the double-flower attack, and the authentication request transaction responding to the reader is refused.
In the RFID authentication method provided in the embodiment of the present invention, the attack of the malicious reader is a double-flower attack, otherwise the sent transaction is discarded because the format is not satisfied, and when the block lattice is not attacked, the block lattice structure is as shown in fig. 2, and when the block lattice is attacked, that is, the reader generates a block lattice that is, the block lattice is not attacked, and the block lattice structure is as shown in fig. 2When the double-flower attack is performed, as shown in fig. 3, the reader 1 generates the double-flower attack, and two or more transactions exist in the transaction corresponding to the reader 1 and are connected to the same transaction, that is, the authentication request transaction trAnd tr' connect to the same transaction tnThereafter, at this time, the reader 1 transmits an authentication request transaction trAnd trThe hash pointer pointing to the last requested transaction in' is the same hash pointer, since the server 1 has already broadcast the authentication request transaction t to the readerrMake a response so that when the server 1 listens to the authentication request transaction t of the reader 1r' time, it is determined that the reader 1 has a double-flower attack and refuses to respond to the authentication request tr' because of the existence of timing factors, the time of the double-flower attack received by each server in the block lattice is inconsistent, so that when the server 1 detects the double-flower attack, the server 2 does not detect the double-flower attack, and because the server 2 does not detect the double-flower attack of the reader 1, the server 2 does not detect the authentication request transaction t broadcast by the reader 1r' respond as usual, and will transact with the authentication request trThe corresponding authentication response transaction is broadcast to each server, after a period of time, all servers in the block lattice detect the double-flower attack, and the transaction after the reader 1 is not responded any more, so that the resources of the servers are saved.
In the method provided by the embodiment of the present invention, a reader and a server communicate on a block lattice, and with reference to fig. 3, a block lattice structure provided by the embodiment of the present invention is described:
g is a create transaction, tnFor ordinary transactions, trTo request a transaction, taTo answer a transaction, solid arrows indicate connections between transactions and dashed arrows indicate correlations between transactions.
And the creation transaction G is used for initializing the block lattices, storing public key lists of all servers, block lattice parameters such as block lattice names, version numbers and the like in the creation transaction, and carrying out the first transaction in the block lattices in the creation transaction.
Common transaction tnFor opening up reader account numbers or server accounts on block grids orAdding records, wherein the transaction for opening up the reader account or the server account is called a create account transaction, and the create account transaction must be connected to a create transaction.
Request transaction trAnd the reader is used for sending an authentication request, and the authentication request transaction can only be sent by the reader account and needs to be connected to the previous transaction of the reader account.
Answering a transaction taThe method is used for the server to respond to the authentication request transaction, and the response transaction can be only sent by the server account.
And the connection relation is used for judging the sequence of the transactions sent by the same account.
And the correlation relationship is used between the request transaction and the corresponding response transaction and represents the relationship between the logic sequence of the transaction and the time.
It should be noted that, when the server receives a tag adding transaction broadcast by another server, the server determines whether tag information corresponding to the tag adding transaction exists in the database, if so, the server indicates that the server has added corresponding tag information, and ignores the tag adding transaction, and if not, the server stores the tag information in the tag adding transaction, where the tag information includes tag identity information and a secret value corresponding to the tag identity information.
It should be noted that, when the server receives a reader adding transaction broadcast by another server, it is determined whether a reader corresponding to the reader adding transaction is approved, that is, any server signs a public key thereof, and if the reader corresponding to the reader adding transaction is approved, information corresponding to the reader adding transaction is stored.
Corresponding to the method described in fig. 1, an embodiment of the present invention further provides an RFID authentication apparatus, which is used for specifically implementing the method in fig. 1, where the RFID authentication apparatus provided in the embodiment of the present invention may be applied to a server, and a schematic structural diagram of the RFID authentication apparatus is shown in fig. 4, and specifically includes:
the verification unit 401 is configured to verify signature information in an authentication request transaction by using a pre-acquired reader public key corresponding to a reader when the authentication request transaction sent by the reader is monitored;
a first determining unit 402, configured to, when verification passes, obtain a hash pointer pointing to a previous request transaction in the authentication request transaction, and determine whether the authentication request transaction is a latest transaction of the reader according to the hash pointer pointing to the previous request transaction;
a first obtaining unit 403, configured to obtain a first server serial number in the authentication request transaction if the authentication request transaction is the latest transaction of the reader;
a second determining unit 404, configured to determine whether the first server serial number is consistent with a serial number of the server itself;
a third determining unit 405, configured to, if the authentication request information and the reader random number in the authentication request transaction are consistent, obtain authentication request information and a reader random number in the authentication request transaction, and determine whether a secret value corresponding to the authentication request information, the reader random number, corresponding tag identity information, and the tag identity information exists in a pre-constructed database; the secret value comprises a first secret value or a second secret value, a plurality of label identity information, and a first secret value and a second secret value corresponding to each label identity information are stored in the database;
a fourth determining unit 406, configured to determine whether the reader has requested the same tag identity information and the secret value corresponding to the tag identity information if the authentication request information, the reader random number, the corresponding tag identity information, and the secret value corresponding to the tag identity information exist in the pre-established database;
a first generating unit 407, configured to generate, if the same tag identity information and a secret value corresponding to the tag identity information are not requested by the reader, authentication response information according to the tag identity information and the secret value corresponding to the tag identity information, and generate an authentication response transaction corresponding to the authentication request transaction according to the authentication response information;
a first updating unit 408, configured to broadcast the authentication response transaction to each server and the reader, and update the secret value corresponding to the tag identity information in the database according to the timestamp in the authentication request information.
In the RFID authentication apparatus provided in the embodiment of the present invention, when the server monitors that an authentication request transaction broadcasted by a reader exists in a block lattice, the server first determines whether a format of the authentication request transaction is correct, that is, whether signature information of the authentication request transaction is correct, and whether the authentication request transaction is a latest transaction of the reader, if the format of the authentication request transaction is correct, it determines whether a serial number of a first server of the authentication request transaction is consistent with a serial number of the server itself, and if so, the authentication request transaction is a response of the server itself, and when tag identity information corresponding to the authentication request information and a reader random number in the authentication request transaction and a secret value corresponding to the tag identity information exist in the database, the database determines whether the reader has requested traversal of tag identity information corresponding to current authentication request information and a secret value corresponding to the tag identity information, if the request is passed, the reader is judged to have malicious packet loss, the transaction is ended, if the request is not passed, authentication response information corresponding to the authentication request information is generated, authentication response transaction is generated according to the authentication response information, the authentication response transaction is broadcasted to the reader and each server, so that synchronization of each server in the block lattices is realized, and the secret value corresponding to the tag identity information in the database is updated according to the timestamp in the authentication request information. By applying the RFID authentication device provided by the embodiment of the invention, the servers and the reader communicate in the block grid, and each server in the block grid only responds to the authentication request transaction corresponding to the first server serial number which is the same as the serial number of the server, so that decentralization is realized, and the efficiency of RFID authentication is improved.
In an embodiment of the present invention, based on the foregoing scheme, the first updating unit 408 is configured to:
a first judging subunit, configured to judge, according to a timestamp in the authentication request information, whether the secret value corresponding to the tag identity information is a second secret value in the database;
a first updating subunit, configured to, if the secret value corresponding to the tag identity information is a second secret value in the database, perform hash calculation on the tag identity information and a second secret value corresponding to the tag identity information according to a preset first hash calculation formula to obtain a new second secret value, update the second secret value to the new second secret value, and update the first secret value in the database to the second secret value;
and the second updating subunit is configured to, if the secret value corresponding to the tag identity information is not the second secret value in the database, perform hash calculation on the tag identity information and the first secret value corresponding to the tag identity information according to a preset first hash calculation formula to obtain a new second secret value, and update the second secret value in the database to the new second secret value.
In an embodiment of the present invention, based on the foregoing solution, the RFID authentication apparatus may be further configured to:
the second judgment subunit is configured to traverse the pre-established database when authentication response transactions of other servers are monitored, and judge whether tag identity information corresponding to the authentication response transactions of the other servers and a secret value corresponding to the tag identity information exist in the database;
and the third updating subunit is configured to, if the third updating subunit does not exist, correspondingly update the pre-constructed database according to the tag identity information in the authentication response transaction of the other server and the secret value corresponding to the tag identity information.
In an embodiment of the present invention, based on the foregoing solution, the RFID authentication apparatus may be further configured to:
the third judging subunit is configured to judge whether a hash pointer pointing to a previous request transaction in the authentication request transaction is consistent with a hash pointer pointing to the previous request transaction, which is stored in advance and corresponds to the reader;
and the response subunit is used for judging that the reader has double-flower attack if the two-flower attack is consistent with each other and refusing to respond to the authentication request transaction of the reader.
The embodiment of the invention provides an RFID authentication method, which can be applied to various system platforms, wherein an execution main body of the method can be a reader, and a flow chart of the RFID authentication method is shown in FIG. 5, and specifically comprises the following steps:
s501: sending a communication request to the tag;
in the method provided by the embodiment of the invention, the reader randomly generates the random number of the reader and sends a communication request to the tag based on the random number of the reader.
S502: acquiring an authentication request fed back by a label, and acquiring authentication request information in the authentication request;
in the method provided by the embodiment of the invention, when an authentication request corresponding to the communication request and fed back by the tag is received, authentication request information in the authentication request is acquired.
S503: obtaining a first numerical value corresponding to the authentication request information;
in the method provided by the embodiment of the invention, the authentication request information is subjected to hash calculation according to a preset second hash calculation formula to obtain a hash value of the authentication request information, the hash value is a random number, and the hash value of the authentication request information is subjected to modular operation on the total number of the servers obtained in advance to obtain a first numerical value, the first numerical value is a random numerical value, the total number of the servers is obtained when a reader is initialized, the reader initializes and obtains the information of each server and the public and private key pair information of the reader through a created transaction, and the created transaction is used for initializing a block lattice and is the first transaction in the block lattice.
S504: judging whether a server serial number corresponding to the first numerical value exists in the requested server list or not;
in the method provided by the embodiment of the invention, whether a server serial number corresponding to a first numerical value exists in a pre-constructed requested server list is judged, when a reader receives authentication request information of the tag for the first time, the server serial number corresponding to the first numerical value does not exist in the requested server list, only when the reader sends a communication request to the tag again, and a new first numerical value generated according to the authentication request information fed back by the tag possibly exists a server serial number corresponding to the new first numerical value in the requested server list, when the server serial number corresponding to the first numerical value does not exist in the requested server list, step S505 is executed, and if the server serial number corresponding to the first numerical value exists in the requested server list, authentication fails, and authentication is finished.
S505: determining the first numerical value as a first server serial number, signing the hash value of the authentication request information, and acquiring a hash pointer pointing to the last transaction;
in the method provided by the embodiment of the invention, the first numerical value is used as the first server serial number of the requested server to designate the server corresponding to the first server serial number to respond, the first server serial number is stored in the requested server list, the hash value of the authentication request information is signed by the private key of the reader, the signature information corresponding to the authentication request information is obtained, and the hash pointer pointing to the last request transaction of the reader is obtained.
S506: generating authentication request transactions, and broadcasting the authentication request transactions to each server;
in the method provided by the embodiment of the invention, the authentication request transaction corresponding to the authentication request information is generated according to the hash pointer pointing to the last request transaction, the authentication request information, the random number of the reader, the first server serial number and the signature information, and the authentication request transaction is broadcasted to each server.
It should be noted that the generated authentication request transaction needs to be preceded by the latest transaction connected to the reader.
S507: judging whether an authentication response transaction corresponding to the authentication request transaction is monitored within a preset time;
in the method provided by the embodiment of the present invention, a time threshold is set for each authentication request transaction, whether an authentication response transaction corresponding to the authentication request transaction is monitored within the time threshold is determined, if an authentication response transaction corresponding to the authentication request transaction is monitored within the time threshold, step S508 is executed, and if an authentication response transaction corresponding to the authentication request transaction is not monitored within the time threshold, a communication request is re-sent to the tag, and step S501 is executed.
S508: extracting authentication response information in the authentication response transaction, and sending the authentication response information to the tag;
according to the method provided by the embodiment of the invention, when the authentication response transaction corresponding to the authentication request transaction is monitored within the preset time, the authentication response information in the authentication response transaction is extracted, and the authentication response information is assembled into a structure suitable for an RFID protocol and is sent to the tag.
Before the reader communicates with the tag, the reader firstly sends a communication request containing a randomly generated random number of the reader to the tag, extracts authentication request information in the authentication request when receiving an authentication request corresponding to the communication request fed back by the tag, performs hash calculation on the authentication request information to obtain a hash value corresponding to the authentication request information, performs modulo operation on the hash value on the total number of servers to obtain a first numerical value, takes the first numerical value as a first server serial number of a request server when a server serial number which is the same as the first numerical value does not exist in a requested server list, signs the hash value of the requested server with a private key of the reader to obtain signature information corresponding to the authentication request information, and obtains a hash pointer pointing to the previous request transaction in the reader, and generating an authentication request transaction based on the authentication request information, the hash pointer pointing to the last request transaction, the signature information, the first server serial number and the reader random number, broadcasting the authentication request transaction to each server, extracting authentication response information in the authentication response transaction when receiving an authentication response transaction corresponding to the authentication request transaction within preset time, packaging the authentication response information into an RFID protocol structure, and sending the RFID protocol structure to the tag. By applying the RFID authentication method provided by the embodiment of the invention, for each authentication request, the hash calculation is carried out on the authentication request information in the authentication request to obtain a random numerical value, the random numerical value is subjected to the modulo operation on the total number of the servers to obtain the random server serial number, and the servers corresponding to the random server serial number are appointed to respond, instead of uniformly responding by one server, so that the decentralization is realized and the RFID authentication efficiency is improved.
Corresponding to the method described in fig. 5, an embodiment of the present invention further provides an RFID authentication device, which is used for specifically implementing the method in fig. 5, and the RFID authentication device provided in the embodiment of the present invention may be applied to a reader, and a schematic structural diagram of the RFID authentication device is shown in fig. 6, and specifically includes:
a request unit 601, configured to send a communication request to a tag; the communication request comprises a reader random number which is randomly generated;
a second obtaining unit 602, configured to obtain, when an authentication request corresponding to the communication request and fed back by the tag is received, authentication request information in the authentication request;
a calculating unit 603, configured to perform hash calculation on the authentication request information according to a preset second hash calculation formula, to obtain a hash value of the authentication request information, and perform a modulo operation on the hash value of the authentication request information and a total number of pre-obtained servers, to obtain a first value;
a fifth judging unit 604, configured to judge whether a server serial number corresponding to the first numerical value exists in a pre-constructed requested server list;
a storage unit 605, configured to determine the first numerical value as a first server serial number if the first numerical value does not exist, and store the first server serial number in the requested server list;
a signature unit 606, configured to sign the hash value of the authentication request information with a preset reader private key, obtain signature information corresponding to the authentication request information, and obtain a hash pointer of the reader pointing to a previous request transaction;
a second generating unit 607, configured to generate an authentication request transaction corresponding to the authentication request according to the hash pointer pointing to the last request transaction, the authentication request information, the reader random number, the first server serial number, and the signature information, and broadcast the authentication request transaction to each server;
a sixth determining unit 608, configured to determine whether an authentication response transaction corresponding to the authentication request transaction is monitored within a preset time;
a first sending unit 609, configured to extract authentication response information in the authentication response transaction and send the authentication response information to the tag if the authentication response transaction corresponding to the authentication request transaction is monitored within a preset time.
In an embodiment of the present invention, based on the foregoing solution, the RFID authentication apparatus may be further configured to:
and the sending subunit is configured to send the communication request to the tag again if the authentication response transaction corresponding to the authentication request transaction is not received within the preset time.
The embodiment of the invention provides an RFID authentication method, which can be applied to various system platforms, wherein an execution main body of the method can be a label, and a flow chart of the RFID authentication method is shown in FIG. 7 and specifically comprises the following steps:
s701: when a communication request of a reader is received, a random number of the reader in the communication request is obtained;
in the method provided by the embodiment of the invention, when a communication request of the reader is received, the tag needs to authenticate the reader, and the tag firstly acquires the random number of the reader in the communication request.
S702: acquiring a timestamp of the tag, tag identity information and a secret value of the tag, generating authentication request information according to the timestamp, the tag identity information and the secret value of the tag and the random number of the reader, and sending an authentication request to the reader based on the authentication request information;
in the method provided by the embodiment of the invention, the tag identity information of the tag, the secret value of the tag and the timestamp are obtained, the authentication request information is generated according to the tag identity information of the tag, the secret value of the tag, the timestamp and the random number of the reader, and the authentication request is sent to the reader according to the authentication request information.
S703: when authentication response information corresponding to the authentication request fed back by the reader is received, a secret value corresponding to the tag identity information in the authentication response information is obtained;
in the method provided by the embodiment of the invention, whether authentication response information corresponding to an authentication request fed back by a reader is received in preset time is judged, if the authentication response information fed back by the reader is received in the preset time, a secret value corresponding to tag identity information in the authentication response information is obtained, and if the authentication response information fed back by the reader is not received in the preset time, authentication failure is judged, and communication with the reader is refused to be established.
S704: comparing the secret value corresponding to the tag identity information with the secret value of the tag;
in the method provided by the embodiment of the invention, the secret value corresponding to the tag identity information in the acquired authentication response information is compared with the secret value of the tag.
S705: and if the comparison is consistent, performing hash calculation on the tag identity information and the secret value of the tag by authenticating the reader and establishing communication with the reader and through a preset third hash calculation formula to obtain a new secret value of the tag, and updating the secret value of the tag to the new secret value of the tag.
In the method provided by the embodiment of the present invention, when the secret value corresponding to the tag identity information in the authentication response information is the same as the secret value of the tag itself, the reader is authenticated and communication with the reader is established, and hash calculation is performed on the tag identity information and the secret value of the tag itself according to a preset third hash calculation formula, where the third hash calculation formula is the same as the first hash calculation formula, and the new secret value calculated by the third hash calculation formula is the same as the new second secret value calculated by the first hash calculation formula.
The RFID authentication method provided by the embodiment of the invention comprises the steps of sending an authentication request to a reader when receiving a communication request sent by the reader, wherein the authentication request comprises a random number of the reader, label identity information and a secret value of a label, and a timestamp, obtaining the secret value corresponding to the label identity information in authentication response information when receiving authentication response information corresponding to the authentication request fed back by the reader, comparing the secret value corresponding to the label identity information with the secret value of the label, establishing communication with the reader through authentication of the reader if the comparison is consistent, updating the secret value of the label to a new secret value, and carrying out Hash calculation on the label identity information and the secret value of the label according to a preset third Hash calculation formula to obtain the new secret value. By applying the RFID authentication method provided by the embodiment of the invention, the reader is authenticated through the server, so that the reader cannot directly obtain the tag identity information and the secret value of the tag, and information leakage is avoided.
Corresponding to the method described in fig. 7, an embodiment of the present invention further provides an RFID authentication apparatus, which is used for specifically implementing the method in fig. 7, and the RFID authentication apparatus provided in the embodiment of the present invention may be applied to a tag, and a schematic structural diagram of the RFID authentication apparatus is shown in fig. 8, and specifically includes:
a third obtaining unit 801, configured to, when a communication request of a reader is received, obtain a reader random number in the communication request;
a second sending unit 802, configured to obtain a timestamp of the tag, tag identity information and a secret value of the tag, generate authentication request information according to the timestamp, the tag identity information and the secret value of the tag, and the reader random number, and send an authentication request to the reader based on the authentication request information;
a fourth obtaining unit 803, configured to obtain, when receiving authentication response information corresponding to the authentication request and fed back by the reader, a secret value corresponding to the tag identity information in the authentication response information;
a comparing unit 804, configured to compare a secret value corresponding to the tag identity information in the authentication response information with a secret value of the tag itself;
a second updating unit 805, configured to, if the comparison is consistent, perform hash calculation on the tag identity information and the secret value of the tag itself through authentication of the reader and establishment of communication with the reader and a preset third hash calculation formula, to obtain a new secret value of the tag, and update the secret value of the tag itself to the new secret value of the tag.
In the method provided by the embodiment of the present invention, the overall implementation of the RFID authentication method is described, as shown in fig. 9:
the method comprises the steps that a reader sends a communication request containing a reader random number generated at random to a tag, when the tag receives the communication request, the reader random number in the communication request is obtained, tag identity information, a secret value and a time stamp of the tag are obtained, authentication request information is generated according to the reader random number, the time stamp, the tag identity information and the secret value of the tag, and the authentication request information is sent to the reader.
When a reader receives an authentication request sent by a label, performing hash calculation on authentication request information in the authentication request to obtain a hash value of the authentication request information, performing modulo operation on the total number of servers acquired in advance by using the hash value of the authentication request information to obtain a first numerical value corresponding to the authentication request information, when a server serial number corresponding to the first numerical value exists in a requested server list, determining that authentication fails, finishing authentication, when a server serial number corresponding to the first numerical value does not exist in the requested list, using the first numerical value as a first server serial number of a request server, signing the hash value by using a reader private key to obtain signature information, obtaining a hash pointer pointing to a previous request transaction of the reader, and according to the first server serial number, the signature information, the hash pointer pointing to the previous request transaction, The authentication request information and the random number of the reader generate authentication request transaction, the authentication request transaction is connected to the latest transaction of the reader, and the authentication request transaction is broadcasted to each server;
when the server monitors the authentication request transaction of the reader, the server verifies whether the format of the authentication request transaction meets the requirements, namely, the server is firstly used for verifying the signature information in the authentication request transaction by using a reader public key corresponding to the reader, when the verification is passed, whether the authentication request transaction is the latest transaction of the reader is judged according to a pointer pointing to the last request transaction in the authentication request transaction, if so, the format of the authentication request transaction is judged to meet the requirements, and if the serial number of the first server in the authentication request transaction is judged to be consistent with the serial number of the server, whether label identity information corresponding to the authentication request information and the reader random number of the authentication request transaction and a secret value corresponding to the label identity information exist in a database are judged, if so, according to the label identity information in the database and the secret value corresponding to the label identity information, generating authentication response information, generating an authentication response transaction based on the authentication response information, broadcasting the authentication response transaction to a reader, acquiring the authentication response information in the authentication response transaction when the reader monitors the authentication response transaction corresponding to the authentication request transaction, packaging the authentication response information into an RFID protocol format and sending the RFID protocol format to a tag;
when the tag receives authentication response information sent by the reader, a secret value corresponding to the tag identity information in the authentication response information is obtained, the secret value corresponding to the tag identity information is compared with a secret value of the tag, when the comparison is consistent, the communication with the reader is established through the authentication of the reader, the hash calculation is performed on the tag identity information and the secret value of the tag through a preset third hash calculation formula, a new secret value of the tag is obtained, and the secret value of the tag is updated to be the new secret value.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functions of the units may be implemented in the same software and/or hardware or in a plurality of software and/or hardware when implementing the invention.
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The RFID authentication method and device provided by the present invention are described in detail above, and the principle and the implementation of the present invention are explained in detail herein by applying specific examples, and the description of the above examples is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.