CN119629631A - A mobile terminal security authentication method and system - Google Patents

A mobile terminal security authentication method and system Download PDF

Info

Publication number
CN119629631A
CN119629631A CN202411779482.5A CN202411779482A CN119629631A CN 119629631 A CN119629631 A CN 119629631A CN 202411779482 A CN202411779482 A CN 202411779482A CN 119629631 A CN119629631 A CN 119629631A
Authority
CN
China
Prior art keywords
mobile
mobile terminal
cloud server
certificate
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411779482.5A
Other languages
Chinese (zh)
Inventor
孙厚起
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhuogao Technology Co ltd
Original Assignee
Beijing Zhuogao Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhuogao Technology Co ltd filed Critical Beijing Zhuogao Technology Co ltd
Priority to CN202411779482.5A priority Critical patent/CN119629631A/en
Publication of CN119629631A publication Critical patent/CN119629631A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明提出了一种移动终端安全认证方法及系统。该移动终端安全认证方法为:在移动终端安装移动安全客户端,该移动安全客户端与移动终端的EMI D信息绑定,且与云端服务器通信;采用密钥分割技术将移动安全客户端的私钥分割为两个秘钥因子,并分别安全存储在移动端和云端服务器,移动端和云端服务器协同计算,永远不会出现完整的明文密钥,有效保护了移动安全客户端的私钥安全,数字证书实现了强身份认证、安全加密的功能。

The present invention proposes a mobile terminal security authentication method and system. The mobile terminal security authentication method is as follows: a mobile security client is installed on the mobile terminal, the mobile security client is bound to the EMI D information of the mobile terminal, and communicates with the cloud server; the private key of the mobile security client is split into two secret key factors using the key splitting technology, and the two factors are securely stored in the mobile terminal and the cloud server respectively. The mobile terminal and the cloud server collaborate in calculation, and a complete plaintext key will never appear, which effectively protects the private key security of the mobile security client, and the digital certificate realizes the functions of strong identity authentication and secure encryption.

Description

Mobile terminal security authentication method and system
Technical Field
The invention relates to the technical field of network security, in particular to a mobile terminal security authentication method and system.
Background
With the development of mobile communication technology and the acceleration of national informatization construction pace, the working modes of people are continuously changed towards the directions of convenience and high efficiency. Especially, in the mobile Internet era, the mobile office work is liberated from the front of a daily office work table, so that the office work becomes reality at any time and any place like a random shape, the fragmentation time is reasonably utilized, and the office work efficiency is greatly improved. The mobile office is popularized and utilized in Internet companies and new industries, and is favored by various industries such as traditional industries, government, public security, fire control, tax, finance, education and the like.
However, the mobile terminal lacks a corresponding safety mechanism to ensure the safety of the terminal, the validity of the user cannot be judged in the use process, the problems of illegal users, access of illegal peripherals and the like exist, meanwhile, the mobile terminal adopts a mobile network to communicate, service information is transmitted through the air, sensitive information is at risk of being leaked or tampered in the transmission process, and the like, so that a mobile mode provides new challenges for maintaining the integrity, timeliness and accuracy of information transmitted by a wireless network. In order to facilitate the development of mobile office work and support actual combat work, the security of the information communication network must be ensured while realizing service access through an effective security mechanism. The mobile terminal uses the mobile security client to realize authentication and encryption of mobile terminal personnel, but usually needs to cooperate with a TF card/film card and other hardware cryptographic modules to realize protection of a mobile terminal private key, the TF card/film card and other hardware cryptographic modules need to be installed in the mobile terminal, and the problems of external equipment installation, inconvenience, high popularization difficulty, high cost and the like exist.
Disclosure of Invention
In order to overcome the defects in the prior art, the invention aims to provide a mobile terminal security authentication method and a system.
In order to achieve the above object of the present invention, the present invention provides a mobile terminal security authentication method, comprising the steps of:
installing a mobile security client on the mobile terminal, wherein the mobile security client is bound with the international mobile equipment identification (EM) ID information of the mobile terminal and is communicated with a cloud server;
Generating a client signing key factor at the mobile security client, and requesting the cloud server to generate a cloud server signing key factor; the mobile security client generates a client digital signature by using the client signing key factor and sends the client digital signature to the cloud server; the cloud server generates a digital signature of the cloud server by using the cloud server signing key factor;
the mobile security client applies for the digital certificate authentication system to obtain a signature key certificate and an encryption key certificate, and performs mutual identity authentication with the cloud server based on the signature key certificate, the encryption key certificate and the digital signature.
According to the mobile terminal security authentication method, a key segmentation technology is adopted, the two segmented key factors are respectively and safely stored in the mobile terminal and the cloud server, the mobile terminal and the cloud server cooperatively calculate, a complete plaintext key can never appear, the private key security of the mobile security client is effectively protected, and the digital certificate realizes the functions of body-building authentication and security encryption.
In an alternative scheme of the mobile terminal security authentication method, a mobile security client applies for a signature certificate and an encryption certificate to a digital certificate authentication system, the application is forwarded through a cloud server, the signature certificate is bound by using an international mobile equipment identification (EM) ID of the mobile terminal, and the signature key certificate and the encryption key certificate are applied for and obtained and stored in a back-end system of the mobile security client.
In an alternative scheme of the mobile terminal security authentication method, when forwarding the signature key certificate and the encryption key certificate of the mobile security client, the cloud server also stores a copy and binds with an international mobile equipment identification (EM ID) to obtain the signature key certificate of the cloud server;
when the mobile security client performs mutual authentication with the cloud server,
The cloud server verifies the digital signature by using a signing key certificate of the mobile security client, verifies a certificate chain of a root certificate issued by a superior CA authentication center to the mobile security client, and verifies the information of an international mobile equipment identification code EM ID of the mobile terminal;
the mobile security client verifies the identity of the cloud server, verifies the certificate chain of the root certificate issued by the CA authentication center to the cloud server, and verifies the signature key certificate of the cloud server.
In an alternative scheme of the mobile terminal security authentication method, when the mobile security client verifies the identity of the cloud server, the cloud server firstly issues a root certificate to a CA authentication center, then the root certificate of the cloud server is imported into the mobile security client, and the root certificate of the cloud server is verified by the root certificate of the mobile security client.
The application also provides a mobile terminal service data transmission method, which is used for executing the identity authentication of the mobile security client based on the mobile terminal security authentication method;
after passing the verification, the encryption key certificate and the encryption certificate are used for establishing a bidirectional national security SSL secure channel between the VPN gateway system and the VPN gateway system.
The mobile terminal service data transmission method has the functions of providing reliable identity authentication and channel encryption for mobile terminal equipment without additional hardware equipment, and can effectively ensure the identity authentication, data confidentiality and data integrity of the mobile terminal and ensure the transmission safety of service data.
Optionally, the service system client transmits service data through the bidirectional national cipher SSL secure channel, the data transmitted in the channel are ciphertexts, the ciphertexts are decrypted at the back end of the VPN gateway system to obtain plain text, and the plain text data is transmitted to the background system of the service system.
The application also provides a mobile terminal security authentication system, which comprises:
the mobile terminal is provided with a mobile terminal,
The mobile security client is installed on the mobile terminal and is bound with EMID information of the mobile terminal;
the cloud server is communicated with the mobile security client;
the digital certificate authentication system is used for generating a signature key certificate and an encryption key certificate for the mobile security client;
The mobile terminal, the mobile security client, the cloud server and the digital certificate authentication system execute the mobile security client identity authentication step according to the mobile terminal security authentication method, and the mobile terminal is authenticated safely.
The mobile terminal security authentication system can provide reliable identity authentication for the mobile terminal equipment without additional hardware equipment, and can effectively protect the private key security of the mobile security client.
The application also provides a mobile terminal service data transmission system, which comprises the mobile terminal security authentication system, the VPN gateway system and the service system;
after the mobile terminal safety authentication system carries out the mobile terminal safety authentication and passes, the mobile safety client establishes a bidirectional national secret SSL safety channel between the mobile safety client and the VPN gateway system by using an encryption key and an encryption certificate, and the service system carries out service data transmission with the mobile terminal through the bidirectional national secret SSL safety channel.
The mobile terminal service data transmission system can provide reliable identity authentication and channel encryption functions for mobile terminal equipment without additional hardware equipment, can effectively ensure the identity authentication, data confidentiality and data integrity of the mobile terminal, and ensures the transmission safety of service data.
The beneficial effects of the invention are as follows:
the invention adopts the key segmentation technology to realize the protection of the private key of the mobile security client, and realizes the functions of strong identity authentication and data encryption protection of the mobile security client based on the digital certificate, thereby having the characteristics of strong security, convenient use, simple popularization, low cost and the like, and having good use effect.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
The foregoing and/or additional aspects and advantages of the invention will become apparent and may be better understood from the following description of embodiments taken in conjunction with the accompanying drawings in which:
FIG. 1 is a schematic logic diagram of a second embodiment;
fig. 2 is a network deployment diagram of the fourth embodiment.
Detailed Description
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative only and are not to be construed as limiting the invention.
In the description of the present invention, unless otherwise specified and defined, it should be noted that the terms "mounted," "connected," and "coupled" are to be construed broadly, and may be, for example, mechanical or electrical, or may be in communication with each other between two elements, directly or indirectly through intermediaries, as would be understood by those skilled in the art, in view of the specific meaning of the terms described above.
Example 1
The first embodiment provides a mobile terminal security authentication method, which includes the following steps:
and installing a mobile security client on the mobile terminal (such as a mobile phone and a tablet personal computer), wherein the mobile security client is bound with the international mobile equipment identification code EMID information of the mobile terminal and is communicated with the cloud server, and the international mobile equipment identification code EMID is the unique ID of the mobile terminal. The mobile terminal with the mobile security client can enter the network boundary, thereby accessing the network of the service system for data transmission.
The private key of the mobile security client is protected using a key splitting mechanism, split into 2 key factors. The method comprises the steps of generating a client signing key factor when a mobile security client is initialized, and simultaneously sending a request to a cloud server, wherein the cloud server generates the cloud server signing key factor.
When the mobile security client is initialized, a signature certificate and an encryption certificate are applied to the digital certificate authentication system, the application is forwarded through the cloud server, the signature certificate is bound by using the international mobile equipment identification code EMID of the mobile terminal, and the signature key certificate and the encryption key certificate are applied to be obtained and stored in the mobile security client back-end system.
The mobile security client generates a client digital signature by using the client signing key factor and sends the client digital signature to the cloud server, the cloud server generates a cloud server digital signature by using the cloud server signing key factor, and the client digital signature and the cloud server digital signature are combined into a complete digital signature.
Based on the signing key certificate, the encryption key certificate and the digital signature, the mobile security client and the cloud server perform mutual identity verification. The cloud server verifies the digital signature by using the signing key certificate of the mobile security client, verifies a certificate chain of a root certificate issued by an upper CA authentication center to the mobile security client, verifies international mobile equipment identification code EMID information of the mobile terminal and the like. The certificate chain is used to verify whether the current level user certificate is issued by a higher level legal authority. The mobile security client verifies the identity of the cloud server, specifically, the cloud server firstly issues a root certificate to the CA authentication center, then the root certificate of the cloud server is imported into the mobile security client, the root certificate of the cloud server is verified by the root certificate of the mobile security client, the CA authentication center verifies the certificate chain of the root certificate issued by the cloud server, verifies the cloud server signature key certificate, and the authentication of the client is completed after the authentication, so that the security authentication of the mobile terminal is passed.
Example two
As shown in fig. 1, this embodiment provides a method for transmitting service data of a mobile terminal based on the first embodiment. Specifically, according to the first embodiment, after the mobile security client performs identity authentication, through the security authentication of the mobile terminal, the mobile security client uses the encryption key certificate and the encryption certificate to establish a bidirectional national security SSL secure channel with the VPN gateway system, so as to perform confidentiality and integrity protection on data in the channel. The service system performs service data transmission with the mobile terminal through a bidirectional national security SSL (secure socket layer) security channel. Specifically, the service system client transmits service data through a bidirectional national security SSL secure channel, the data transmitted in the channel are ciphertext, the ciphertext data are decrypted at the back end of the VPN gateway system to obtain plaintext, and the plaintext data are transmitted to the background system of the service system.
Example III
The embodiment provides a mobile terminal security authentication system, which comprises a mobile terminal, a mobile security client installed on the mobile terminal and bound with EM ID information of the mobile terminal, and a cloud server communicated with the mobile security client, wherein the cloud server is used for generating a signature key certificate and an encryption key certificate for the mobile security client. The mobile terminal, the mobile security client, the cloud server and the digital certificate authentication system execute the mobile security client identity authentication step according to the mobile terminal security authentication method provided by the first embodiment, and perform authentication on the mobile terminal security.
Example IV
The embodiment provides a mobile terminal service data transmission system, which comprises the mobile terminal security authentication system, the VPN gateway system and the service system provided in the third embodiment.
After the mobile terminal security authentication system provided by the third embodiment performs mobile terminal security authentication and passes, the mobile security client establishes a bidirectional national security SSL secure channel with the VPN gateway system by using the encryption key and the encryption certificate. And the service system performs service data transmission with the mobile terminal through the bidirectional national security SSL secure channel. Specifically, the service system client transmits service data through a bidirectional national security SSL secure channel, the data transmitted in the channel are ciphertext, the ciphertext data are decrypted at the back end of the VPN gateway system to obtain plaintext, and the plaintext data are transmitted to the background system of the service system.
As shown in fig. 2, the digital certificate authentication system, the collaborative signature system and the VPN gateway system are deployed at a network boundary, i.e. an internet cloud platform area, to authenticate and decrypt the mobile security client.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the spirit and scope of the invention as defined by the appended claims and their equivalents.

Claims (8)

1. The mobile terminal security authentication method is characterized by comprising the following steps:
Installing a mobile security client on the mobile terminal, wherein the mobile security client is bound with the international mobile equipment identification code EMID information of the mobile terminal and is communicated with a cloud server;
Generating a client signing key factor at the mobile security client, and requesting the cloud server to generate a cloud server signing key factor; the mobile security client generates a client digital signature by using the client signing key factor and sends the client digital signature to the cloud server; the cloud server generates a digital signature of the cloud server by using the cloud server signing key factor;
the mobile security client applies for the digital certificate authentication system to obtain a signature key certificate and an encryption key certificate, and performs mutual identity authentication with the cloud server based on the signature key certificate, the encryption key certificate and the digital signature.
2. The mobile terminal security authentication method of claim 1, wherein,
The mobile security client applies for a signature certificate and an encryption certificate to the digital certificate authentication system, the application is forwarded through the cloud server, the signature certificate is bound by using the international mobile equipment identification code EMID of the mobile terminal, the signature key certificate and the encryption key certificate are applied for obtaining, and the signature certificate and the encryption key certificate are stored in a back-end system of the mobile security client.
3. The mobile terminal security authentication method according to claim 1, wherein when forwarding the signing key certificate and the encryption key certificate of the mobile security client, the cloud server also stores a copy and binds with the international mobile equipment identification code EMID to obtain the cloud server signing key certificate;
when the mobile security client performs mutual authentication with the cloud server,
The cloud server verifies the digital signature by using a signing key certificate of the mobile security client, verifies a certificate chain of a root certificate issued by a superior CA authentication center to the mobile security client, and verifies international mobile equipment identification code EMID information of the mobile terminal;
the mobile security client verifies the identity of the cloud server, verifies the certificate chain of the root certificate issued by the CA authentication center to the cloud server, and verifies the signature key certificate of the cloud server.
4. The mobile terminal security authentication method according to claim 1, wherein when the mobile security client verifies the identity of the cloud server, the cloud server issues a root certificate to the CA authentication center, and then the root certificate of the cloud server is imported into the mobile security client, and the root certificate of the cloud server is verified by the root certificate of the mobile security client.
5. A mobile terminal service data transmission method, characterized in that mobile security client identity authentication is performed based on the mobile terminal security authentication method according to any one of claims 1-4;
after the verification is passed, establishing a bidirectional national security SSL secure channel between the VPN gateway system and the VPN gateway system by using an encryption key certificate and an encryption certificate;
And the service system performs service data transmission with the mobile terminal through the bidirectional national security SSL secure channel.
6. The method for transmitting service data of mobile terminal according to claim 5, wherein the service system client transmits service data through the bidirectional national security SSL secure channel, the data transmitted in the channel are ciphertext, the ciphertext data are decrypted at the VPN gateway system back end to obtain plaintext, and the plaintext data are transmitted to the service system back end system.
7. A mobile terminal security authentication system, comprising:
the mobile terminal is provided with a mobile terminal,
The mobile security client is installed on the mobile terminal and is bound with EMID information of the mobile terminal;
the cloud server is communicated with the mobile security client;
the digital certificate authentication system is used for generating a signature key certificate and an encryption key certificate for the mobile security client;
The mobile terminal, the mobile security client, the cloud server and the digital certificate authentication system execute the mobile security client identity authentication step according to the mobile terminal security authentication method according to any one of claims 1 to 4, and perform security authentication on the mobile terminal.
8. A mobile terminal service data transmission system, which is characterized by comprising the mobile terminal security authentication system, the VPN gateway system and the service system according to claim 7;
after the mobile terminal safety authentication system carries out the mobile terminal safety authentication and passes, the mobile safety client establishes a bidirectional national secret SSL safety channel between the mobile safety client and the VPN gateway system by using an encryption key and an encryption certificate, and the service system carries out service data transmission with the mobile terminal through the bidirectional national secret SSL safety channel.
CN202411779482.5A 2024-12-05 2024-12-05 A mobile terminal security authentication method and system Pending CN119629631A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411779482.5A CN119629631A (en) 2024-12-05 2024-12-05 A mobile terminal security authentication method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411779482.5A CN119629631A (en) 2024-12-05 2024-12-05 A mobile terminal security authentication method and system

Publications (1)

Publication Number Publication Date
CN119629631A true CN119629631A (en) 2025-03-14

Family

ID=94909334

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411779482.5A Pending CN119629631A (en) 2024-12-05 2024-12-05 A mobile terminal security authentication method and system

Country Status (1)

Country Link
CN (1) CN119629631A (en)

Similar Documents

Publication Publication Date Title
US10742426B2 (en) Public key infrastructure and method of distribution
CN108270571B (en) Blockchain-based Internet of Things identity authentication system and its method
CN103229452B (en) The identification of mobile hand-held device and communication authentication
CN101674304B (en) Network identity authentication system and method
US7366905B2 (en) Method and system for user generated keys and certificates
EP1714422B1 (en) Establishing a secure context for communicating messages between computer systems
US7120797B2 (en) Methods for authenticating potential members invited to join a group
US20130339740A1 (en) Multi-factor certificate authority
CN105554760B (en) Wireless access point authentication method, apparatus and system
CN108243166A (en) A kind of identity identifying method and system based on USBKey
CN102710605A (en) Information security management and control method under cloud manufacturing environment
CN111539032B (en) Electronic signature application system resistant to quantum computing disruption and implementation method thereof
CN101931536B (en) Method for encrypting and authenticating efficient data without authentication center
CN113726523B (en) Multiple identity authentication method and device based on Cookie and DR identity cryptosystem
CN114389808B (en) A Design Method of OpenID Protocol Based on SM9 Blind Signature
CN104683107A (en) Digital certificate storage method and device, and digital signature method and device
CN117749393B (en) SSLVPN user identity verification method and system based on collaborative signature
CN101471775B (en) Authentication method for MS and BS of WiMAX system
CN116828430B (en) A method for secure communication and control between Bluetooth devices, mobile phones, and servers.
US9281947B2 (en) Security mechanism within a local area network
CN118233194A (en) Identity authentication method, device and storage medium based on building internet of things
CN119629631A (en) A mobile terminal security authentication method and system
WO2008004174A2 (en) Establishing a secure authenticated channel
WO2024008961A1 (en) System and method for using a subscriber identity module as a pseudonym certficate authority (pca)
CN117997520A (en) A data processing method, device and readable storage medium based on blockchain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination