SECURITY AUTHENTICATION METHOD AND SYSTEM, AND INTEGRATED CIRCUIT

Abstract

A security authentication method and system, and an integrated circuit are provided, and relate to the field of electronic technologies. The method includes: receiving, by the integrated circuit, an authentication request sent by a test platform, and generating a first random number; sending the first random number to the test platform, so that the test platform sends the first random number to an encryption platform; receiving a random number ciphertext sent by the test platform, where the random number ciphertext is obtained after the encryption platform encrypts the first random number; decrypting the random number ciphertext to obtain a second random number and performing security authentication on the test platform based on the first random number and the second random number.

Claims

1. A security authentication method, comprising: receiving, by an integrated circuit, an authentication request from a test platform, and generating a first random number; sending the first random number to the test platform; receiving a random number ciphertext from the test platform, wherein the random number ciphertext is obtained based on the first random number; obtaining a second random number by decrypting the random number ciphertext; and performing security authentication on the test platform based on the first random number and the second random number.

2. The method according to claim 1, wherein: the authentication request carries a second public key; and generating a first random number comprises: determining a hash value of the second public key, comparing a hash value of a first public key stored by the integrated circuit with the hash value of the second public key, and when the hash value of the first public key is the same as the hash value of the second public key, generating the first random number.

3. The method according to claim 1, wherein performing security authentication on the test platform based on the first random number and the second random number comprises: determining whether the second random number is the same as the first random number; and when the second random number is the same as the first random number, determining that the security authentication on the test platform succeeds, or when the second random number is different from the first random number, determining that the security authentication on the test platform fails.

4. The method according to claim 1, wherein: the authentication request carries a second public key; and obtaining a second random number by decrypting the random number ciphertext comprises: obtaining the second random number by decrypting the random number ciphertext by using the second public key.

5. The method according to claim 1, wherein: the integrated circuit stores the first public key; and obtaining a second random number by decrypting the random number ciphertext comprises: obtaining the second random number by decrypting the random number ciphertext by using the first public key.

6. A security authentication method, comprising: sending, by a test platform, an authentication request to an integrated circuit; receiving, by the integrated circuit, the authentication request, generating a first random number, and sending the first random number to the test platform; receiving, by the test platform, the first random number, and sending the first random number to an encryption platform; receiving, by the encryption platform, the first random number, encrypting the first random number to obtain a random number ciphertext, and sending the random number ciphertext to the test platform; receiving, by the test platform, the random number ciphertext, and sending the random number ciphertext to the integrated circuit; receiving, by the integrated circuit, the random number ciphertext, and decrypting the random number ciphertext to obtain a second random number; and performing, by the integrated circuit, security authentication on the test platform based on the first random number and the second random number.

7. The method according to claim 6, wherein: the authentication request carries a second public key; and generating a first random number comprises: determining, by the integrated circuit, a hash value of the second public key, comparing the hash value of the second public key with a hash value of a first public key stored by the integrated circuit, and when the hash value of the first public key is the same as the hash value of the second public key, generating the first random number.

8. The method according to claim 6, wherein encrypting the first random number to obtain a random number ciphertext comprises: encrypting the first random number by using a stored private key, to obtain the random number ciphertext.

9. The method according to claim 6, wherein: the authentication request carries the second public key; and decrypting the random number ciphertext to obtain a second random number comprises: decrypting, by the integrated circuit, the random number ciphertext by using the second public key, to obtain the second random number.

10. The method according to claim 6, wherein: the integrated circuit stores the first public key; and decrypting the random number ciphertext to obtain a second random number comprises: decrypting, by the integrated circuit, the random number ciphertext by using the first public key, to obtain the second random number.

11. The method according to claim 6, wherein performing, by the integrated circuit, security authentication on the test platform based on the first random number and the second random number comprises: determining whether the second random number is the same as the first random number; and when the second random number is the same as the first random number, determining that the security authentication on the test platform succeeds, or when the second random number is different from the first random number, determining that the security authentication on the test platform fails.

12. An integrated circuit, comprising: a processor; and a memory storing instructions which, when executed by the processor, cause the integrated device to: generate a first random number, send the first random number to a test platform, receive an authentication request from the test platform, and receive a random number ciphertext from the test platform, obtain a second random number by decrypting the random number ciphertext, and perform security authentication on the test platform based on the first random number and the second random number.

13. The integrated circuit according to claim 12, wherein: the memory stores a hash value of a first public key; and to generate a first random number, the instructions, when executed by the processor, cause the integrated device to: determine a hash value of a second public key in the authentication request; compare the hash value of the first public key with the hash value of the second public key; and when the hash value of the first public key is the same as the hash value of the second public key, generate the first random number.

14. The integrated circuit according to claim 12, wherein to perform security authentication on the test platform based on the first random number and the second random number, the instructions, when executed by the processor, cause the integrated device to: determine whether the second random number is the same as the first random number; and when the second random number is the same as the first random number, determine that the security authentication on the test platform succeeds, or when the second random number is different from the first random number, determine that the security authentication on the test platform fails.

15. The integrated circuit according to claim 12, wherein to obtain a second random number by decrypting the random number ciphertext, the instructions, when execute by the processor, cause the integrated device to: obtain the second random number by decrypting the random number ciphertext by using the second public key in the authentication request; or obtain the second random number by decrypting the random number ciphertext by using the first public key stored in the integrated circuit.

16. A security authentication system, comprising: a test platform configured to send an authentication request; an integrated circuit configured to: receive the authentication request, generate a first random number, and send the first random number to the test platform; wherein the test platform is further configured to: receive the first random number, and send the first random number; an encryption platform configured to: receive the first random number, encrypt the first random number to obtain a random number ciphertext, and send the random number ciphertext to the test platform; wherein the test platform is further configured to: receive the random number ciphertext, and send the random number ciphertext to the integrated circuit; and wherein the integrated circuit is further configured to: receive the random number ciphertext, and decrypt the random number ciphertext to obtain a second random number, and perform security authentication on the test platform based on the first random number and the second random number.

17. The system according to claim 16, wherein the integrated circuit is further configured to: determine a hash value of a second public key carried in the authentication request; compare the hash value of the second public key with a hash value of a first public key; and when the hash value of the first public key is the same as the hash value of the second public key, generate the first random number.

18. The system according to claim 16, wherein the encryption platform is further configured to: encrypt the first random number by using a stored private key, to obtain the random number ciphertext.

19. The system according to claim 16, wherein the integrated circuit is further configured to: decrypt the random number ciphertext by using the second public key carried in the authentication request, to obtain the second random number; or decrypt the random number ciphertext by using the stored first public key, to obtain the second random number.

20. The system according to claim 16, wherein the integrated circuit is further configured to: determine whether the second random number is the same as the first random number; and when the second random number is the same as the first random number, determine that the security authentication on the test platform succeeds, or when the second random number is different from the first random number, determine that the security authentication on the test platform fails.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0117] To describe the technical solutions in the embodiments of the present application more clearly, the following briefly describes the accompanying drawings required for describing the embodiments. Apparently, the accompanying drawings in the following description show merely some embodiments of the present application, and a person of ordinary skill in the art may derive other drawings from these accompanying drawings without creative efforts.

[0118] FIG. 1A is a schematic architectural diagram of a security authentication system according to an embodiment of the present application;

[0119] FIG. 1B is a schematic structural diagram of a first integrated circuit according to an embodiment of the present application;

[0120] FIG. 2 is a flowchart of a first security authentication method according to an embodiment of the present application;

[0121] FIG. 3 is a flowchart of a second security authentication method according to an embodiment of the present application;

[0122] FIG. 4 is a flowchart of a third security authentication method according to an embodiment of the present application;

[0123] FIG. 5A is a schematic structural diagram of a second integrated circuit according to an embodiment of the present application;

[0124] FIG. 5B is a schematic structural diagram of a generation module according to an embodiment of the present application;

[0125] FIG. 5C is a schematic structural diagram of an authentication module according to an embodiment of the present application;

[0126] FIG. 5D is a schematic structural diagram of a decryption module according to an embodiment of the present application;

[0127] FIG. 6 is a schematic structural diagram of a security authentication system according to an embodiment of the present application; and

[0128] FIG. 7 is a schematic structural diagram of a third integrated circuit according to an embodiment of the present application.

DETAILED DESCRIPTION

[0129] To make the objectives, technical solutions, and advantages of the present application clearer, the following further describes the implementations of the present application in detail with reference to the accompanying drawings.

[0130] A system architecture of embodiments of the present application is first described before the embodiments of the present application are described in detail. FIG. 1A is a schematic architectural diagram of a security authentication system according to an embodiment of the present application. As shown in FIG. 1, the system includes an integrated circuit 101, a test platform 102, and an encryption platform 103. The integrated circuit 101 may be connected to the test platform 102, and the test platform 102 may be connected to the encryption platform 103 by using a network. The integrated circuit 101 may exchange data with the test platform 102, and the test platform 102 may exchange data with the encryption platform 103 by using the network, so that the integrated circuit 101 completes security authentication on the test platform 102. The test platform may send an authentication request to the integrated circuit. When receiving the authentication request, the integrated circuit may generate a first random number, and send the first random number to the test platform. The test platform sends the first random number to the encryption platform. When receiving the first random number, the encryption platform encrypts the first random number to obtain a random number ciphertext, and returns the random number ciphertext to the test platform. The test platform sends the random number ciphertext to the integrated circuit. When receiving the random number ciphertext, the integrated circuit may decrypt the random number ciphertext to obtain a second random number, and then complete the security authentication on the test platform by using the first random number and the second random number.

[0131] In addition, referring to FIG. 1B, the integrated circuit 101 may include a JTAG hardware security authentication engine 1011, a JTAG port 1012, a memory 1013, a communications bus 1014, a transmitter 1015, and a receiver 1016. The JTAG hardware security authentication engine 1011 is connected to the transmitter 1015 and the receiver 1016 by using the communications bus 1014. The transmitter 1015 and the receiver 1016 are connected to the test platform 102. The JTAG hardware security authentication engine 1011 may serve as a processor of the integrated circuit 101, so that the JTAG hardware security authentication engine 1011 may separately exchange data with the test platform 102 by using the transmitter 1015 and the receiver 1016, to perform the security authentication on the test platform 102. The JTAG hardware security authentication engine 1011 is connected to the JTAG port 1012 by using the communications bus 1014. The JTAG port 1012 is also connected to the memory 1013 by using the communications bus 1014. The memory 1013 stores internal logic of the integrated circuit 101. After determining, by using the JTAG hardware security authentication engine 1011, that the security authentication on the test platform 102 succeeds, the integrated circuit 101 may open the JTAG port 1012 to the test platform 102, so that the test platform 102 may test, by using the JTAG port 1012, the internal logic stored in the memory.

[0132] It should be further noted that the JTAG hardware security authentication engine 1011, the JTAG port 1012, the memory 1013, the communications bus 1014, the transmitter 1015, and the receiver 1016 may be separately burned and fixed into the integrated circuit 101.

[0133] The processor, namely, the JTAG hardware security authentication engine 1011, may be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits that are configured to control program execution of the solution of the present application.

[0134] The communications bus 1014 may include a channel in which information is transmitted between the foregoing components.

[0135] The memory 1013 may be a read-only memory (ROM) or another type of static storage device that can store static information and instructions, or a random access memory (RAM) or another type of dynamic storage device that can store information and instructions; or may be an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or another compact disc storage, an optical disc storage (including a compact disc, a laser disc, an optical disc, a digital versatile disc, a Blu-ray disc, and the like), a disk storage medium or another magnetic storage device, or any other medium that can be used to carry or store expected program code in a form of an instruction or a data structure and that can be accessed by an integrated circuit. However, this is not limited herein. The memory 1013 may independently exist, and is connected to the processor 1011 by using the communications bus 1014. Alternatively, the memory 1013 may be integrated with the processor 1011.

[0136] The transmitter 1015 and the receiver 1016 may be any apparatus like a transceiver, and are configured to communicate with another device or communications network, such as an Ethernet, a radio access network (RAN), or a wireless local area network (WLAN). Optionally, in the present application, the transmitter 1015 and the receiver 1016 may be connected to the other device in a plug-connected manner, so as to implement communication.

[0137] FIG. 2 is a flowchart of a security authentication method according to an example embodiment. Referring to FIG. 2, the method is applied to an integrated circuit, and the method includes the following steps:

[0138] Step 201. An integrated circuit receives an authentication request sent by a test platform, and generates a first random number.

[0139] Step 202. Send the first random number to the test platform, so that the test platform sends the first random number to an encryption platform.

[0140] Step 203. Receive a random number ciphertext sent by the test platform, where the random number ciphertext is obtained after the encryption platform encrypts the first random number.

[0141] Step 204. Decrypt the random number ciphertext to obtain a second random number.

[0142] Step 205. Perform security authentication on the test platform based on the first random number and the second random number.

[0143] In this embodiment of the present application, when receiving the authentication request sent by the test platform, the integrated circuit may generate the first random number, and send the first random number to the test platform. The test platform sends the first random number to the encryption platform. Then, the integrated circuit receives the random number ciphertext obtained after the encryption platform encrypts the first random number, and may decrypt the random number ciphertext to obtain the second random number and perform the security authentication on the test platform by using the first random number and the second random number. A random number generated by the integrated circuit each time is different, and a random number ciphertext received by the integrated circuit is also different. Therefore, an unauthorized user is prevented from cracking the random number ciphertext of the integrated circuit, thereby improving reliability and security of the security authentication.

[0144] Optionally, the integrated circuit stores a hash value of a first public key, and the authentication request carries a second public key.

[0145] Correspondingly, the generating a first random number includes:

[0146] determining a hash value of the second public key;

[0147] comparing the hash value of the first public key with the hash value of the second public key; and

[0148] when the hash value of the first public key is the same as the hash value of the second public key, generating the first random number.

[0149] Optionally, the performing security authentication on the test platform based on the first random number and the second random number includes:

[0150] determining whether the second random number is the same as the first random number;

[0151] when the second random number is the same as the first random number, determining that the security authentication on the test platform succeeds; or when the second random number is different from the first random number, determining that the security authentication on the test platform fails.

[0152] Optionally, the decrypting the random number ciphertext to obtain a second random number includes:

[0153] when the integrated circuit stores the hash value of the first public key, and the authentication request carries the second public key, decrypting the random number ciphertext by using the second public key, to obtain the second random number; or when the integrated circuit stores the first public key, decrypting the random number ciphertext by using the first public key, to obtain the second random number.

[0154] All the foregoing optional technical solutions may be randomly combined to form optional embodiments of the present application, and details are not described herein in this embodiment of the present application.

[0155] FIG. 3 is a flowchart of another security authentication method according to an example embodiment. Referring to FIG. 3, the method includes the following steps:

[0156] Step 301. A test platform sends an authentication request to an integrated circuit.

[0157] Step 302. The integrated circuit receives the authentication request, generates a first random number, and sends the first random number to the test platform.

[0158] Step 303. The test platform receives the first random number, and sends the first random number to an encryption platform.

[0159] Step 304. The encryption platform receives the first random number, encrypts the first random number to obtain a random number ciphertext, and sends the random number ciphertext to the test platform.

[0160] Step 305. The test platform receives the random number ciphertext, and sends the random number ciphertext to the integrated circuit.

[0161] Step 306. The integrated circuit receives the random number ciphertext, and decrypts the random number ciphertext to obtain a second random number.

[0162] Step 307. The integrated circuit performs security authentication on the test platform based on the first random number and the second random number.

[0163] In this embodiment of the present application, when receiving the authentication request sent by the test platform, the integrated circuit may generate the first random number, and send the first random number to the test platform. The test platform sends the first random number to the encryption platform. When receiving the first random number, the encryption platform encrypts the first random number to obtain the random number ciphertext, and returns the random number ciphertext to the test platform. The test platform sends the random number ciphertext to the integrated circuit. When receiving the random number ciphertext, the integrated circuit may decrypt the random number ciphertext to obtain the second random number, and then perform the security authentication on the test platform by using the first random number and the second random number. A random number generated by the integrated circuit each time is different, and a random number ciphertext received by the integrated circuit is also different. Therefore, an unauthorized user is prevented from cracking the random number ciphertext of the integrated circuit, thereby improving reliability and security of the security authentication.

[0164] Optionally, the generating a first random number includes:

[0165] when the authentication request carries a second public key, and the integrated circuit stores a hash value of a first public key,

[0166] determining, by the integrated circuit, a hash value of the second public key;

[0167] comparing the hash value of the second public key with the hash value of the first public key; and

[0168] when the hash value of the first public key is the same as the hash value of the second public key, generating the first random number.

[0169] Optionally, the encrypting the first random number to obtain a random number ciphertext includes:

[0170] encrypting the first random number by using a stored private key, to obtain the random number ciphertext.

[0171] Optionally, the decrypting the random number ciphertext to obtain a second random number includes:

[0172] when the integrated circuit stores the hash value of the first public key, and the authentication request carries the second public key, decrypting, by the integrated circuit, the random number ciphertext by using the second public key, to obtain the second random number; or

[0173] when the integrated circuit stores the first public key, decrypting, by the integrated circuit, the random number ciphertext by using the first public key, to obtain the second random number.

[0174] Optionally, that the integrated circuit performs security authentication on the test platform based on the first random number and the second random number includes:

[0175] determining whether the second random number is the same as the first random number;

[0176] when the second random number is the same as the first random number, determining that the security authentication on the test platform succeeds; or

[0177] when the second random number is different from the first random number, determining that the security authentication on the test platform fails.

[0178] All the foregoing optional technical solutions may be randomly combined to form optional embodiments of the present application, and details are not described herein in this embodiment of the present application.

[0179] FIG. 4 is a flowchart of another security authentication method according to an example embodiment. Referring to FIG. 4, the method includes the following steps.

[0180] Step 401. A test platform sends an authentication request to an integrated circuit.

[0181] After the test platform is connected to the integrated circuit, the test platform may send the authentication request to the integrated circuit.

[0182] It should be noted that when the test platform sends the authentication request to the integrated circuit, the authentication request may carry a second public key, or may not carry a second public key. This is not specifically limited in this embodiment of the present application.

[0183] In addition, the second public key carried in the authentication request may be stored in the test platform, or may be stored in an encryption platform. This is not specifically limited in this embodiment of the present application.

[0184] It should be further noted that, the second public key is stored in the encryption platform, and the encryption platform is kept confidential and can ensure that the second public key is not leaked, improving reliability of security authentication. Therefore, the second public key may be preferentially stored in the encryption platform.

[0185] The second public key may be stored in the encryption platform, or may be stored in the test platform. Therefore, before the test platform sends the authentication request to the integrated circuit, the second public key is stored in the encryption platform, and the test platform may send an obtaining request to the encryption platform. After receiving the obtaining request, the encryption platform may return the second public key to the test platform based on the obtaining request. The second public key may be stored in the test platform, and the test platform may directly send the authentication request to the integrated circuit based on the second public key.

[0186] Step 402. The integrated circuit receives the authentication request, generates a first random number, and sends the first random number to the test platform.

[0187] It should be noted that the integrated circuit may store the first public key, or may store a hash value of the first public key. This is not specifically limited in this embodiment of the present application.

[0188] It should be noted that, in this embodiment of the present application, the hash value of the first public key or the first public key may be burned and fixed into internal space of a JTAG hardware security authentication engine included in the integrated circuit, so as to store the hash value of the first public key or the first public key into the integrated circuit. The internal space may be an electrically programmable fuse, or may be another element. This is not specifically limited in this embodiment of the present application. In addition, after the hash value of the first public key or the first public key is burned and fixed into the internal space of the JTAG hardware security authentication engine included in the integrated circuit, the hash value of the first public key or the first public key cannot be changed, thereby improving security and reliability of performing the security authentication.

[0189] In a possible implementation, when the authentication request does not carry the second public key and the integrated circuit stores the first public key, the integrated circuit may receive the authentication request, and directly generate the first random number.

[0190] In another possible implementation, when the authentication request carries the second public key and the integrated circuit stores the hash value of the first public key, the integrated circuit may determine a hash value of the second public key when receiving the authentication request; compare the hash value of the second public key with the hash value of the first public key; and when the hash value of the first public key is the same as the hash value of the second public key, generate the first random number.

[0191] In the foregoing another possible implementation, because the integrated circuit compares the hash value of the first public key with the hash value of the second public key, further, when the hash value of the first public key is the same as the hash value of the second public key, the integrated circuit generates the first random number. To be specific, a to-be-tested circuit may preliminarily determine the second public key, thereby ensuring the reliability of performing the security authentication.

[0192] In addition, when the hash value of the first public key is different from the hash value of the second public key, the integrated circuit may directly determine that the security authentication fails, and send information indicating the security authentication failure to the test platform, and no subsequent operation is required.

[0193] It should be noted that, for an operation of determining the hash value of the second public key by the integrated circuit, refer to a related technology. Details are not described again in this embodiment of this disclosure.

[0194] Optionally, when the authentication request does not carry the second public key and the integrated circuit stores the hash value of the first public key, the integrated circuit may also receive the authentication request, and directly generate the first random number.

[0195] Optionally, when the authentication request carries the second public key and the integrated circuit stores the hash value of the first public key, the integrated circuit may also receive the authentication request, and directly generate the first random number.

[0196] It should be noted that, the integrated circuit may generate the first random number by using the included JTAG hardware security authentication engine. For an operation of generating the first random number by the integrated circuit, refer to a related technology. Details are not described again in this embodiment of the present application.

[0197] In this embodiment of the present application, the integrated circuit stores the hash value of the first public key, and storage space occupied by the hash value of the first public key is relatively small, thereby saving storage space of the integrated circuit. In addition, the integrated circuit stores the first public key, and the integrated circuit may directly generate the first random number, thereby speeding up subsequent security authentication.

[0198] Step 403. The test platform receives the first random number, and sends the first random number to an encryption platform.

[0199] To ensure security of subsequent authentication, the test platform may further send an identifier authentication request to the encryption platform, and the identifier authentication request may carry an authentication identifier.

[0200] It should be noted that the authentication identifier is used to uniquely identify whether the test platform is a security test platform, and the authentication identifier may be a delivery sequence number, a media access control (MAC) address, and the like of the test platform.

[0201] Step 404. The encryption platform receives the first random number, encrypts the first random number to obtain a random number ciphertext, and sends the random number ciphertext to the test platform.

[0202] The encryption platform may encrypt the first random number by using a stored private key, to obtain the random number ciphertext.

[0203] It should be noted that after the private key is stored in the encryption platform, the private key is not externally presented in a plaintext form. To be specific, in a process of performing the security authentication, the private key cannot be externally presented in the plaintext form, thereby ensuring privacy of the private key, preventing leakage of the private key, and improving the reliability of the security authentication.

[0204] It should be further noted that the encryption platform encrypts the first random number by using the private key. For an operation of obtaining the random number ciphertext, refer to a related technology. Details are not described again in this embodiment of the present application.

[0205] In addition, the test platform may send the identifier authentication request to the encryption platform. Therefore, before encrypting the first random number, the encryption platform may further receive the identifier authentication request, and perform authentication on the authentication identifier carried in the identifier authentication request. When an authentication result is secure, the first random number is encrypted; or when an authentication result is insecure, the first random number is not encrypted.

[0206] Step 405. The test platform receives the random number ciphertext, and sends the random number ciphertext to the integrated circuit.

[0207] When the authentication request does not carry the second public key and the integrated circuit stores the first public key, or the authentication request carries the second public key and the integrated circuit stores the hash value of the first public key, the test platform may directly send the random number ciphertext to the integrated circuit. When the authentication request does not carry the second public key and the integrated circuit stores the hash value of the first public key, the test platform may further send the second public key to the integrated circuit while sending the random number ciphertext to the integrated circuit.

[0208] Step 406. The integrated circuit receives the random number ciphertext, and decrypts the random number ciphertext to obtain a second random number.

[0209] An operation of decrypting the random number ciphertext by the integrated circuit to obtain the second random number may be: when the integrated circuit stores the hash value of the first public key and the authentication request carries the second public key, decrypting the random number ciphertext by using the second public key, to obtain the second random number; or when the integrated circuit stores the first public key, decrypting the random number ciphertext by using the first public key, to obtain the second random number.

[0210] It should be noted that, for an operation of decrypting the random number ciphertext by the integrated circuit by using the first public key, to obtain the second random number, and an operation of decrypting the random number ciphertext by using the second public key, to obtain the second random number, refer to a related technology. Details are not described again in this embodiment of the present application.

[0211] Optionally, when the integrated circuit stores the hash value of the first public key and the integrated circuit receives both the random number ciphertext and the second public key, the integrated circuit may determine the hash value of the second public key; compare the hash value of the first public key with the hash value of the second public key; when the hash value of the first public key is different from the hash value of the second public key, determine that the security authentication fails, and return the information indicating the authentication failure to the test platform; or when the hash value of the first public key is the same as the hash value of the second public key, decrypt the random number ciphertext by using the second public key, to obtain the second random number.

[0212] Optionally, when the integrated circuit stores the hash value of the first public key and the authentication request carries the second public key, but the first random number is directly generated, and authentication is not performed on the second public key, the integrated circuit may determine the hash value of the second public key, and compare the hash value of the first public key with the hash value of the second public key; when the hash value of the first public key is different from the hash value of the second public key, determine that the security authentication fails, and return the information indicating the authentication failure to the test platform; or when the hash value of the first public key is the same as the hash value of the second public key, decrypt the random number ciphertext by using the second public key, to obtain the second random number.

[0213] Step 407. The integrated circuit performs security authentication on the test platform based on the first random number and the second random number.

[0214] An operation of performing the security authentication on the test platform by the integrated circuit based on the first random number and the second random number may be: determining whether the second random number is the same as the first random number; when the second random number is the same as the first random number, determining that the security authentication on the test platform succeeds; or when the second random number is different from the first random number, determining that the security authentication on the test platform fails.

[0215] It should be noted that, a random number generated by the integrated circuit each time is different. Therefore, a plurality of integrated circuits may use a same public key for decryption, and there is no need to set a public key for each integrated circuit. This not only improves the security of the security authentication, but also reduces costs of setting the public key.

[0216] In this embodiment of the present application, when receiving the authentication request sent by the test platform, the integrated circuit may generate the first random number, and send the first random number to the test platform. The test platform sends the first random number to the encryption platform. When receiving the first random number, the encryption platform encrypts the first random number by using the stored private key, to obtain the random number ciphertext, and returns the random number ciphertext to the test platform. The test platform sends the random number ciphertext to the integrated circuit. When receiving the random number ciphertext, if the integrated circuit stores the hash value of the first public key, the integrated circuit decrypts the random number ciphertext by using the second public key, to obtain the second random number, and if the integrated circuit stores the first public key, the integrated circuit may decrypt the random number ciphertext by using the first public key, to obtain the second random number, and perform the security authentication on the test platform by using the first random number and the second random number. The private key is stored in the encryption platform, thereby preventing leakage of the private key and ensuring the security of the security authentication. In addition, the random number generated by the integrated circuit each time is different, and a random number ciphertext received by the integrated circuit is also different. Therefore, the plurality of integrated circuits may use the same public key for decryption, and there is no need to set the public key for each integrated circuit. This not only prevents an unauthorized user from cracking the random number ciphertext of the integrated circuit and improves the security and the reliability of the security authentication, but also reduces the costs of setting the public key.

[0217] FIG. 5A is a schematic structural diagram of an integrated circuit according to an example embodiment. Referring to FIG. 5A, the integrated circuit includes a generation module 501, a sending module 502, a receiving module 503, a decryption module 504, and an authentication module 505.

[0218] The generation module 501 is configured to generate a first random number.

[0219] The sending module 502 is configured to send the first random number to a test platform, so that the test platform sends the first random number to an encryption platform.

[0220] The receiving module 503 is configured to: receive an authentication request sent by the test platform, and receive a random number ciphertext sent by the test platform, where the random number ciphertext is obtained after the encryption platform encrypts the first random number.

[0221] The decryption module 504 is configured to decrypt the random number ciphertext to obtain a second random number.

[0222] The authentication module 505 is configured to perform security authentication on the test platform based on the first random number and the second random number.

[0223] Optionally, referring to FIG. 5B, the integrated circuit stores a hash value of a first public key.

[0224] The generation module 501 includes:

[0225] a first determining unit 5011, configured to determine a hash value of a second public key in the authentication request;

[0226] a comparison unit 5012, configured to compare the hash value of the first public key with the hash value of the second public key; and

[0227] a generation unit 5013, configured to: when the hash value of the first public key is the same as the hash value of the second public key, generate the first random number.

[0228] Optionally, referring to FIG. 5C, the authentication module 505 includes:

[0229] a determining unit 5051, configured to determine whether the second random number is the same as the first random number;

[0230] a second determining unit 5052, configured to: when the second random number is the same as the first random number, determine that the security authentication on the test platform succeeds; and

[0231] a third determining unit 5053, configured to: when the second random number is different from the first random number, determine that the security authentication on the test platform fails.

[0232] Optionally, referring to FIG. 5D, the decryption module 504 includes:

[0233] a first decryption unit 5041, configured to decrypt the random number ciphertext by using the second public key in the authentication request, to obtain the second random number; or

[0234] a second decryption unit 5042, configured to decrypt the random number ciphertext by using the first public key stored in the integrated circuit, to obtain the second random number.

[0235] In this embodiment of the present application, when receiving the authentication request sent by the test platform, the integrated circuit may generate the first random number, and send the first random number to the test platform. The test platform sends the first random number to the encryption platform. Then, when the integrated circuit receives the random number ciphertext obtained after the encryption platform encrypts the first random number by using a stored private key, if the integrated circuit stores the hash value of the first public key, the integrated circuit decrypts the random number ciphertext by using the second public key, to obtain the second random number, and if the integrated circuit stores the first public key, the integrated circuit may decrypt the random number ciphertext by using the first public key, to obtain the second random number, and perform the security authentication on the test platform by using the first random number and the second random number. The private key is stored in the encryption platform, thereby preventing leakage of the private key and ensuring security of the security authentication. In addition, a random number generated by the integrated circuit each time is different, and a random number ciphertext received by the integrated circuit is also different. Therefore, a plurality of integrated circuits may use a same public key for decryption, and there is no need to set a public key for each integrated circuit. This not only prevents an unauthorized user from cracking the random number ciphertext of the integrated circuit and improves the security and reliability of the security authentication, but also reduces costs of setting the public key.

[0236] FIG. 6 is a schematic structural diagram of a security authentication system according to an example embodiment. Referring to FIG. 6, the system includes a test platform 602, an integrated circuit 601, and an encryption platform 603 according to the foregoing embodiment.

[0237] The test platform 602 is configured to send an authentication request to the integrated circuit.

[0238] The integrated circuit 601 is configured to: when the integrated circuit receives the authentication request, generate a first random number, and send the first random number to the test platform.

[0239] The test platform 602 is further configured to: receive the first random number, and send the first random number to the encryption platform.

[0240] The encryption platform 603 is configured to: receive the first random number, encrypt the first random number to obtain a random number ciphertext, and send the random number ciphertext to the test platform.

[0241] The test platform 602 is further configured to: receive the random number ciphertext, and send the random number ciphertext to the integrated circuit.

[0242] The integrated circuit 601 is further configured to: receive the random number ciphertext, and decrypt the random number ciphertext to obtain a second random number.

[0243] The integrated circuit 601 is further configured to: perform security authentication on the test platform based on the first random number and the second random number.

[0244] Optionally, the integrated circuit 601 is further configured to:

[0245] determine a hash value of a second public key in the authentication request;

[0246] compare the hash value of the second public key with a hash value of a first public key; and

[0247] when the hash value of the first public key is the same as the hash value of the second public key, generate the first random number.

[0248] Optionally, the encryption platform 603 is further configured to:

[0249] encrypt the first random number by using a stored private key, to obtain the random number ciphertext.

[0250] Optionally, the integrated circuit 601 is further configured to:

[0251] decrypt the random number ciphertext by using the second public key carried in the authentication request, to obtain the second random number; or

[0252] decrypt the random number ciphertext by using the stored first public key, to obtain the second random number.

[0253] Optionally, the integrated circuit 601 is further configured to:

[0254] determine whether the second random number is the same as the first random number;

[0255] when the second random number is the same as the first random number, determine that the security authentication on the test platform succeeds; or

[0256] when the second random number is different from the first random number, determine that the security authentication on the test platform fails.

[0257] In this embodiment of the present application, when receiving the authentication request sent by the test platform, the integrated circuit may generate the first random number, and send the first random number to the test platform. The test platform sends the first random number to the encryption platform. When receiving the first random number, the encryption platform encrypts the first random number by using the stored private key, to obtain the random number ciphertext, and returns the random number ciphertext to the test platform. The test platform sends the random number ciphertext to the integrated circuit. When receiving the random number ciphertext, if the integrated circuit stores the hash value of the first public key, the integrated circuit decrypts the random number ciphertext by using the second public key, to obtain the second random number, and if the integrated circuit stores the first public key, the integrated circuit may decrypt the random number ciphertext by using the first public key, to obtain the second random number, and perform the security authentication on the test platform by using the first random number and the second random number. The private key is stored in the encryption platform, thereby preventing leakage of the private key and ensuring security of the security authentication. In addition, a random number generated by the integrated circuit each time is different, and a random number ciphertext received by the integrated circuit is also different. Therefore, a plurality of integrated circuits may use a same public key for decryption, and there is no need to set a public key for each integrated circuit. This not only prevents an unauthorized user from cracking the random number ciphertext of the integrated circuit and improves the security and reliability of the security authentication, but also reduces costs of setting the public key.

[0258] FIG. 7 is a schematic structural diagram of an integrated circuit according to an embodiment of the present application. Referring to FIG. 7, the integrated circuit includes a transmitter 701, a receiver 702, a processor 703, a memory 704, and a communications bus 705.

[0259] The processor 703 is configured to: receive an authentication request sent by a test platform, and generate a first random number.

[0260] The transmitter 701 is configured to send the first random number to the test platform, so that the test platform sends the first random number to an encryption platform.

[0261] The receiver 702 is configured to receive a random number ciphertext sent by the test platform, and the random number ciphertext is obtained after the encryption platform encrypts the first random number.

[0262] The processor 703 is configured to decrypt the random number ciphertext to obtain a second random number.

[0263] The processor 703 is configured to perform security authentication on the test platform based on the first random number and the second random number.

[0264] Optionally, the integrated circuit stores a hash value of a first public key, and the authentication request carries a second public key.

[0265] Correspondingly, the processor 703 is further configured to:

[0266] determine a hash value of the second public key;

[0267] compare the hash value of the first public key with the hash value of the second public key; and

[0268] when the hash value of the first public key is the same as the hash value of the second public key, generate the first random number.

[0269] Optionally, the processor 703 is further configured to:

[0270] determine whether the second random number is the same as the first random number;

[0271] when the second random number is the same as the first random number, determine that the security authentication on the test platform succeeds; or

[0272] when the second random number is different from the first random number, determine that the security authentication on the test platform fails.

[0273] Optionally, the processor 703 is further configured to:

[0274] when the integrated circuit stores the hash value of the first public key and the authentication request carries the second public key, decrypt the random number ciphertext by using the second public key, to obtain the second random number; or when the integrated circuit stores the first public key, decrypt the random number ciphertext by using the first public key, to obtain the second random number.

[0275] In this embodiment of the present application, when receiving the authentication request sent by the test platform, the integrated circuit may generate the first random number, and send the first random number to the test platform. The test platform sends the first random number to the encryption platform. Then, when receiving the random number ciphertext obtained after the encryption platform encrypts the first random number, the integrated circuit may decrypt the random number ciphertext to obtain the second random number and perform the security authentication on the test platform by using the first random number and the second random number. A random number generated by the integrated circuit each time is different, and a random number ciphertext received by the integrated circuit is also different. Therefore, an unauthorized user is prevented from cracking the random number ciphertext of the integrated circuit, thereby improving reliability and security of the security authentication.

[0276] A person of ordinary skill in the art may understand that all or some of the steps of the embodiments may be implemented by hardware or a program instructing related hardware. The program may be stored in a computer-readable storage medium. The storage medium may include: a read-only memory, a magnetic disk, or an optical disc.

[0277] The foregoing descriptions are merely example embodiments of the present application, but are not intended to limit the present application. Any modification, equivalent replacement, and improvement made without departing from the spirit and principle of the present application shall fall within the protection scope of the present application.

SECURITY AUTHENTICATION METHOD AND SYSTEM, AND INTEGRATED CIRCUIT

Inventors

Cpc classification

Classification Explorer

H04L9/321

ELECTRICITY

Classification Explorer

G06F21/71

PHYSICS

Classification Explorer

G06F21/44

PHYSICS

Classification Explorer

G06F2221/2107

PHYSICS

Classification Explorer

H04L2209/08

ELECTRICITY

Classification Explorer

H04L9/3236

ELECTRICITY

Classification Explorer

H04L9/30

ELECTRICITY

Classification Explorer

G06F2221/2103

PHYSICS

Classification Explorer

G06F21/72

PHYSICS

Classification Explorer

H04L9/3226

ELECTRICITY

International classification

Classification Explorer

H04L9/32

ELECTRICITY

Classification Explorer

H04L9/30

ELECTRICITY

Abstract

Claims

Description