ENTITY AUTHENTICATION METHOD AND DEVICE BASED ON PRE-SHARED KEY

Abstract

An entity authentication method includes: an entity A generates and sends N.sub.A to an entity B; the entity B generates N.sub.B and ZSEED.sub.B, computes a key MKA∥KEIA and first encrypted authentication data AuthEncData.sub.B, and sends the N.sub.B∥N.sub.A∥AuthEncData.sub.B to the entity A for verification; the entity A generates ZSEED.sub.A, computes second encrypted authentication data AuthEncData.sub.A, a shared key seed Z, a master key MK and a first message authentication identifier MacTag.sub.A, and sends the N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A to the entity B for verification; the entity B computes Z, MK and MacTag.sub.A, compares the MacTag.sub.A with the received MacTag.sub.A, and if the two are equal, considers that the entity A is valid; the entity B computes and sends a second message authentication identifier MacTag.sub.B to the entity A; and the entity A computes MacTag.sub.B, compares the MacTag.sub.B with the received MacTag.sub.B, and if the two are equal, considers that the entity B is valid.

Claims

1. An entity authentication method based on a pre-shared key, comprising: in an entity A and an entity B which share a pre-shared key PSK and know each other's identifiers ID.sub.A and ID.sub.B, step 1) generating a random number N.sub.A and sending the random number N.sub.A to the entity B by the entity A; step 2) after N.sub.A is received, generating, by the entity B, a random number ZSEED.sub.B functioning as a key seed and a random number N.sub.B, calculating, by the entity B, a key MKA∥KEIA=KDF1(N.sub.A,N.sub.B,PSK,ID.sub.A,ID.sub.B), calculating, by the entity B, first encryption authentication data AuthEncData.sub.B=AuthEnc.sub.KEIA(AAD, IV N.sub.B∥N.sub.A∥ID.sub.B∥ID.sub.A∥ZSEED.sub.B), and sending, by the entity B, N.sub.B∥N.sub.A∥AuthEncData.sub.B to the entity A, where MKA is an authentication key, KEIA is a message encryption and integrity key, KDF1 is a key derivation algorithm, ID.sub.A is an identifier of the entity A, ID.sub.B is an identifier of the entity B, AuthEnc is an encryption authentication algorithm, AAD is other authentication data required by the encryption authentication algorithm, and IV is an initial vector; step 3) performing decryption and verification on N.sub.B∥N.sub.A∥AuthEncData.sub.B by the entity A after N.sub.B∥N.sub.A∥AuthEncData.sub.B is received; ZSEED.sub.A functioning as a key seed, calculating second encryption authentication data AuthEncData.sub.A=AuthEnc.sub.KEIA(AAD, IV*, N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.A), calculating, by the entity A, a shared key seed Z=ZSEED.sub.A⊕ZSEED.sub.B, calculating, by the entity A, a master key MK=KDF2(N.sub.A,N.sub.B,Z,ID.sub.A,ID.sub.B), calculating, by the entity A, a first message authentication identifier MacTag.sub.A=MAC(MK, MsgID1∥ID.sub.A∥ID.sub.B∥N.sub.A∥N.sub.B), and sending, by the entity A, N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A to the entity B, where MsgID1 is a message serial number, “⊕” indicates bitwise exclusive-OR, KDF2 is a key derivation algorithm, and MAC is a message authentication code generation algorithm; step 5) performing decryption and verification on N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A by the entity B after N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A is received; step 6) calculating, by the entity B, a shared key seed Z=ZSEED.sub.A⊕ZSEED.sub.B, calculating a master key MK=KDF2(N.sub.A,N.sub.BZ,ID.sub.A,ID.sub.B), calculating, by the entity B, a first message authentication identifier MacTag.sub.A=MAC(MK, MsgID1∥ID.sub.A∥ID.sub.B∥N.sub.A∥N.sub.B) and comparing, by the entity B, the calculated MacTag.sub.A with the received MacTag.sub.A; and determining, by the entity B, that an identity of the entity A is valid if the calculated MacTag.sub.A is equal to the received MacTag.sub.A; step 7) calculating, by the entity B, a second message authentication identifier MacTag.sub.B=MAC(MK, MsgID2∥ID.sub.B∥ID.sub.A∥N.sub.B∥N.sub.A) and sending MacTag.sub.B to the entity A by the entity B, where MagID2 is a message serial number; and step 8) after the MacTag.sub.B is received, calculating, by the entity A, a second message authentication identifier MacTag.sub.B=MAC(MK, MsgID2∥ID.sub.B∥ID.sub.A∥N.sub.B∥N.sub.A) and comparing, by the entity A, the calculated MacTag.sub.B with the received MacTag.sub.B; and determining, by the entity A, that an identity of the entity B is valid if the calculated MacTag.sub.B is equal to the received MacTag.sub.B.

2. The method according to claim 1, wherein the first encryption authentication data AuthEncData.sub.B in step 2) comprises EncData.sub.B∥MAC.sub.B, where EncData.sub.B is encryption data generated by the entity B, and MAC.sub.B is an integrity authentication code generated by the entity B; and the second encryption authentication data AuthEncData.sub.A in step 4) comprises EncData.sub.A∥MAC.sub.A, where EncData.sub.A is encryption data generated by the entity A, and MAC.sub.A is an integrity authentication code generated by the entity A.

3. The method according to claim 1, wherein the other authentication data AAD for calculating the first encryption authentication data AuthEncData.sub.B in step 2) and calculating the second encryption authentication data AuthEncData.sub.A in step 4) comprises protocol parameters and is set as AAD=SEP∥PID, where SEP is a security protocol parameter, PID is a protocol identifier, and SEP and PID conform to definitions of the Standard IS O/IEC 13157-1; AuthEncData.sub.B in step 2) is generated by the key derivation algorithm and is set as a low 96-bit value of a calculation result of KDF3(MKA,KEIA,N.sub.A,N.sub.B); and AuthEncData.sub.A in step 4) is generated by the key derivation algorithm and is set as a high 96-bit value of a calculation result of KDF3(MKA,KEIA,N.sub.A,N.sub.B), where KDF3 is a key derivation algorithm.

4. The method according to claim 2, wherein the performing decryption authentication by the entity A after N.sub.B∥N.sub.A∥AuthEncData.sub.B is received in step 3) comprises: 3.1) checking whether the received N.sub.A is equal to N.sub.A sent to the entity B; and authenticating as incorrect if the received N.sub.A is not equal to N.sub.A sent to the entity B; 3.2) calculating a key MKA∥KEIA=KDF1(N.sub.A,N.sub.B,PSK,ID.sub.A,ID.sub.B); and 3.3) calculating EncData.sub.B∥MAC.sub.B in AuthEncData.sub.B by decrypting with N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.B∥MAC.sub.B=AuthDec.sub.KEIA(AAD,IV,AuthEncData.sub.B); determining whether the calculated MAC.sub.B is equal to MAC.sub.B in the received AuthEncData.sub.B, authenticating as incorrect if the calculated MAC.sub.B is not equal to the received MAC.sub.B; checking whether ID.sub.A and ID.sub.B obtained by decryption are the same as the identifier of the entity A and the entity B, authenticating as incorrect if the obtained ID.sub.A and ID.sub.B are not the same as the identifier of the entity A and the entity B; checking whether N.sub.A obtained by decryption is equal to N.sub.A sent to the entity B, authenticating as incorrect if the obtained N.sub.A is not equal to N.sub.A sent to the entity B; and checking whether N.sub.B obtained by decryption is equal to N.sub.B in the received N.sub.B∥N.sub.A∥AuthEncData.sub.B, authenticating as incorrect if the obtained N.sub.B is not equal to the received N.sub.B, where AuthDec is a decryption authentication algorithm, wherein N.sub.B∥N.sub.A∥AuthEncData.sub.B received by the entity A is authenticated as incorrect if one of the above authentications has a negative result.

5. The method according to claim 2, wherein the performing decryption and verification on N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A by the entity B after N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A is received in step 5) comprises: 5.1) checking whether the received N.sub.A is equal to N.sub.A sent to the entity A, authenticating as incorrect if the received N.sub.A is not equal to N.sub.A sent to the entity A; 5.2) checking whether the received N.sub.B is equal to N.sub.B sent to the entity N.sub.B, authenticating as incorrect if the received N.sub.B is not equal to N.sub.B sent to the entity A; and 5.3) calculating EncData.sub.A∥MAC.sub.A in AuthEncData.sub.A by decrypting with N.sub.B∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.A∥MAC.sub.A=AuthDec.sub.KEIA(AAD,IV,AuthEncData.sub.A); determining whether the calculated MAC.sub.A is equal to MAC.sub.A in the received AuthEncData.sub.A, authenticating as incorrect if the calculated MAC.sub.A is not equal to the received MAC.sub.A; checking whether ID.sub.A and ID.sub.B obtained by decryption are the same as the identifiers of the entity A and the entity B, authenticating as incorrect if the obtained ID.sub.A and ID.sub.B are not the same as the identifiers of the entity A and the entity B; and checking whether N.sub.A and N.sub.B obtained by decryption are equal to N.sub.A and N.sub.B sent to the entity A, authenticating as incorrect if the obtained N.sub.A and N.sub.B are not equal to N.sub.A and N.sub.B sent to the entity A, where AuthDec is a decryption authentication algorithm, wherein N.sub.A∥N.sub.B∥EncData.sub.A∥MAC.sub.A∥MacTag.sub.A received by the entity B is authenticated as incorrect if one of the above authentications has a negative result.

6. The method according to claim 1, wherein N.sub.A sent from the entity A to the entity B is transmitted after being encapsulated in an ACT_REQ protocol data unit, N.sub.B∥N.sub.A∥AuthEncData.sub.B sent from the entity B to the entity A is transmitted after being encapsulated in an ACT_RES protocol data unit, N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent from the entity A to the entity B is transmitted after being encapsulated in a VFY_REQ protocol data unit, and MacTag.sub.B sent from the entity B to the entity A is transmitted after being encapsulated in a VFY_RES protocol data unit, where ACT_REQ, ACT_RES, VFY_REQ and VFY_RES are protocol data unit formats conforming to definitions of the Standard ISO/IEC 13157-1.

7. A device for performing identity authentication with another device, comprising a storing unit; a processing unit; and a transceiver unit, wherein the storing unit is configured to store a pre-shared key PSK with the another device and an identifiers ID.sub.B of the another device; the transceiver unit is configured to send a random number N.sub.A to the another device and receive N.sub.B∥N.sub.A∥AuthEncData.sub.B sent by the another device; the transceiver unit is further configured to send N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A to the another device and receive a second message authentication identifier MacTag.sub.B sent by the another device; the processing unit is configured to generate the random number N.sub.A; the processing unit is further configured to perform decryption and verification on N.sub.B∥N.sub.A∥AuthEncData.sub.B sent by the another device; ZSEED.sub.A functioning as a key seed, calculate second encryption authentication data AuthEncData.sub.A=EncData.sub.A∥MAC.sub.A=AuthEnc.sub.KEIA(AAD, IV, N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.A), calculate a shared key seed Z=ZSEED.sub.A⊕ZSEED.sub.B, calculate a master key MK=KDF2(N.sub.A,N.sub.B,Z,ID.sub.A,ID.sub.B), calculate a first message authentication identifier MacTag.sub.A=MAC(MK, MsgID1∥ID.sub.A∥ID.sub.B∥N.sub.A∥N.sub.B), and generate N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A, where AuthEnc is an encryption authentication algorithm, EncData.sub.A is encryption data generated by the device, MAC.sub.A is an integrity authentication code generated by the device, AAD is other authentication data required by the encryption authentication algorithm, IV is an initial vector, ID.sub.A is an identifier of the device, ID.sub.B is an identifier of the another device, KDF2 is a key derivation algorithm, MsgID1 is a message serial number, MAC is a message authentication code generation algorithm, and “⊕” indicates bitwise exclusive-OR; and the processing unit is further configured to calculate a second message authentication identifier MacTag.sub.B=MAC(MK, MsgID2∥ID.sub.B∥ID.sub.A∥N.sub.B∥N.sub.A), compare the calculated MacTag.sub.B with MacTag.sub.B sent by the another device, and determine that an identity of the another device is valid if the calculated MacTag.sub.B is equal to MacTag.sub.B sent by the another device.

8. The device according to claim 7, wherein, for performing decryption authentication on N.sub.B∥N.sub.A∥AuthEncData.sub.B sent by the another device, the processing unit is further configured to: check whether the received N.sub.A is equal to N.sub.A sent to the another device, and authenticate as incorrect if the received N.sub.A is not equal to N.sub.A sent to the another device; calculate a key MKA∥KEIA=KDF1(N.sub.A,N.sub.B,PSK,ID.sub.A,ID.sub.B); and calculate EncData.sub.B∥MAC.sub.B in AuthEncData.sub.B by N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.B∥MAC.sub.B=AuthDec.sub.KEIA(AAD,IV,AuthEncData.sub.B); determine whether the calculated MAC.sub.B is equal to MAC.sub.B in the received AuthEncData.sub.B, authenticate as incorrect if the calculated MAC.sub.B is not equal to the received MAC.sub.B; check whether ID.sub.A and ID.sub.B obtained by decryption are the same as the identifiers of the device and the another device, authenticate as incorrect if the obtained ID.sub.A and ID.sub.B are not the same as the identifiers of the device and the another device; check whether N.sub.A obtained by decryption is equal to N.sub.A sent to the another device, authenticate as incorrect if the obtained N.sub.A is not equal to N.sub.A sent to the another device; and check whether N.sub.B obtained by decryption is equal to N.sub.B in the received N.sub.B∥N.sub.A∥AuthEncData.sub.B, authenticate as incorrect if the obtained N.sub.B is not equal to the received N.sub.B, where AuthDec is a decryption authentication algorithm, wherein N.sub.B∥N.sub.A∥AuthEncData.sub.B sent by the another device is authenticated as incorrect if one of the above authentications has a negative result.

9. A device for performing identity authentication with another device, the device comprising a storing unit, a processing unit and a transceiver unit, wherein the storing unit is configured to store a pre-shared key PSK with the another device and an identifiers ID.sub.A of the another device; the transceiver unit is configured to receive a random number N.sub.A sent by the another device; the transceiver unit is further configured to send N.sub.B∥N.sub.A∥AuthEncData.sub.B to the another device and receive N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent by the another device; the transceiver unit is further configured to send a second message authentication identifier MacTag.sub.B to the another device; the processing unit is configured to generate a random number ZSEED.sub.B functioning as a key seed and generate the random number N.sub.B, calculate a key MKA∥KEIA=KDF1(N.sub.A,N.sub.B,PSK,ID.sub.A,ID.sub.B), calculate first encryption authentication data AuthEncData.sub.B=EncData.sub.B∥MAC.sub.B=AuthEnc.sub.KEIA(AAD, IV, N.sub.B∥N.sub.A∥ID.sub.B∥ID.sub.A∥ZSEED.sub.B) and generate N.sub.B∥N.sub.A∥AuthEncData.sub.B, where MKA is an authentication key, KEIA is a message encryption and integrity key, KDF1 is a key derivation algorithm, ID.sub.B is an identifier of the device, ID.sub.A is an identifier of the another device, AuthEnc is an encryption authentication algorithm, EncData.sub.B is encryption data generated by the device, MAC.sub.B is an integrity authentication code generated by the device, AAD is other authentication data required by the encryption authentication algorithm, and IV is an initial vector; the processing unit is further configured to perform decryption and verification on N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent by the another device; and the processing unit is further configured to calculate a shared key seed Z=ZSEED.sub.A ⊕ZSEED.sub.B, calculate a master key MK=KDF2(N.sub.A,N.sub.B Z,ID.sub.A,ID.sub.B), calculate a first message authentication identifier MacTag.sub.A=MAC(MK, MsgID1∥ID.sub.A∥ID.sub.B∥N.sub.A∥N.sub.B), compare the calculated MacTag.sub.A with the received MacTag.sub.A, stop authentication if the calculated MacTag.sub.A is not equal to the received MacTag.sub.A, and determine that the identity of the another device is valid and calculate a second message authentication identifier MacTag.sub.B=MAC(MK, MsgID2∥ID.sub.B∥ID.sub.A∥N.sub.B∥N.sub.A) if the calculated MacTag.sub.A is equal to the received MacTag.sub.A.

10. The device according to claim 9, wherein, for performing decryption and verification on N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent by the another device, the processing unit is further configured to: check whether the received N.sub.A is equal to N.sub.A sent to the another device, and authenticate as incorrect if the received N.sub.A is not equal to N.sub.A sent to the another device; check whether the received N.sub.B is equal to N.sub.B sent to the another device, and authenticate as incorrect if the received N.sub.B is not equal to N.sub.B sent to the another device; and calculate EncData.sub.A∥MAC.sub.A in AuthEncData.sub.A by decrypting with N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.A∥MAC.sub.A=AuthDec.sub.KEIA(AAD,IV,AuthEncData.sub.A), determine whether the calculated MAC.sub.A is equal to MAC.sub.B in the received AuthEncData.sub.A, authenticate as incorrect if the calculated MAC.sub.A is not equal to the received MAC.sub.A; check whether ID.sub.A and ID.sub.B obtained by decryption are the same as the identifiers of the another device and the device, authenticate as incorrect if the obtained ID.sub.A and ID.sub.B are not the same as the identifiers of the another device and the device; and check whether N.sub.A and N.sub.B obtained by decryption are equal to N.sub.A and N.sub.B sent to the another device, authenticate as incorrect if the obtained N.sub.A and N.sub.B are not equal to N.sub.A and N.sub.B sent to the another device, wherein N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent by the another device is authenticated as incorrect if one of the above authentications has a negative result.

11. An operation method for an entity A for performing identity authentication between the entity A and an entity B, the entity A having a pre-shared key PSK with the entity B and knowing identifiers ID.sub.B of the entity B, wherein the method comprises: generating a random number N.sub.A and sending the random number N.sub.A to the entity B; performing decryption and verification on N.sub.B∥N.sub.A∥AuthEncData.sub.B sent by the entity B after N.sub.B∥N.sub.A∥AuthEncData.sub.B is received; ZSEED.sub.A functioning as a key seed, calculating second encryption authentication data AuthEncData.sub.A=EncData.sub.A∥MAC.sub.A=AuthEnc.sub.KEIA (AAD, IV, N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.A), calculating a shared key seed Z=ZSEED.sub.A⊕ZSEED.sub.B, calculating a master key MK=KDF2(N.sub.A,N.sub.B,Z,ID.sub.A,ID.sub.B), calculating a first message authentication identifier MacTag.sub.A=MAC(MK, MsgID1∥ID.sub.A∥ID.sub.B∥N.sub.A∥N.sub.B), and sending N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A to the entity B; and after a second message authentication identifier MacTag.sub.B sent by the entity B is received, calculating a second message authentication identifier MacTag.sub.B=MAC(MK, MsgID2∥ID.sub.B∥ID.sub.A∥N.sub.B∥N.sub.A), comparing the calculated MacTag.sub.B with the received MacTag.sub.B, and determining that an identity of the entity B is valid if the calculated MacTag.sub.B is equal to the received MacTag.sub.B, where ID.sub.A is an identifier of the entity A, ID.sub.B is an identifier of the entity B, AuthEnc is an encryption authentication algorithm, EncData.sub.A is encryption data generated by the entity A, MAC.sub.A is an integrity authentication code generated by the entity A, KDF2 is a key derivation algorithm, MsgID1 and MsgID2 are message serial numbers, “⊕” indicates bitwise exclusive-OR, and MAC is a message authentication code generation algorithm.

12. The method according to claim 11, wherein the other authentication data AAD for calculating the second encryption authentication data AuthEncData.sub.A comprises protocol parameters and is set as AAD=SEP∥PID, where SEP is a security protocol parameter, PID is a protocol identifier, and SEP and PID conform to definitions of the Standard IS O/IEC 13157-1; and the initial vector IV for calculating the second encryption authentication data AuthEncData.sub.A is generated by the key derivation algorithm and is set as a high 96-bit value of a calculation result of KDF3(MKA,KEIA,N.sub.A,N.sub.B), where KDF3 is a key derivation algorithm.

13. The method according to claim 11, wherein the performing decryption and verification on N.sub.B∥N.sub.A∥AuthEncData.sub.B sent by the entity B after N.sub.B∥N.sub.A∥AuthEncData.sub.B is received comprises: checking whether the received N.sub.A is equal to N.sub.A sent to the entity B, and authenticating as incorrect if the received N.sub.A is not equal to N.sub.A sent to the entity B; calculating a key MKA∥KEIA=KDF1(N.sub.A,N.sub.B,PSK,ID.sub.A,ID.sub.B); and EncData.sub.B∥MAC.sub.B in the first encryption authentication data AuthEncData.sub.B by decrypting with N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.B∥MAC.sub.B=AuthDec.sub.KEIA(AAD,IV,AuthEncData.sub.B); determining whether the calculated MAC.sub.B is equal to MAC.sub.B in the received AuthEncData.sub.B, authenticating as incorrect if the calculated MAC.sub.B is not equal to the received MAC.sub.B; checking whether ID.sub.A and ID.sub.B obtained by decryption are the same as the identifiers of the entity A and the entity B, authenticating as incorrect if the obtained ID.sub.A and ID.sub.B are not the same as the identifiers of the entity A and the entity B; checking whether N.sub.A obtained by decryption is equal to N.sub.A sent to the entity B, authenticating as incorrect if the obtained N.sub.A is not equal to N.sub.A sent to the entity B; and checking whether N.sub.B obtained by decryption is equal to N.sub.B in the received N.sub.B∥N.sub.A∥AuthEncData.sub.B, authenticating as incorrect if the obtained N.sub.B is not equal to the received N.sub.B, wherein the received N.sub.B∥N.sub.A∥AuthEncData.sub.B is authenticated as incorrect if one of the above authentications has a negative result.

14. An operation method for an entity B for performing identity authentication between an entity A and the entity B, the entity B having a pre-shared key PSK with the entity A and knowing an identifiers ID.sub.A of the entity A, wherein the method comprises: after a random number N.sub.A sent by the entity A is received, generating a random number ZSEED.sub.B functioning as a key seed and a random number N.sub.B, calculating first encryption authentication data AuthEncData.sub.B=EncData.sub.B∥MAC.sub.B=AuthEnc.sub.KEIA(AAD, IV, N.sub.B∥N.sub.A∥ID.sub.B∥ID.sub.A∥ZSEED.sub.B), and sending N.sub.B∥N.sub.A∥AuthEncData.sub.B to the entity A by the entity B; performing decryption and verification on N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent by the entity A after N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A is received; and Z=ZSEED.sub.A⊕ZSEED.sub.B, calculating a master key MK=KDF2(N.sub.A,N.sub.B,Z,ID.sub.A,ID.sub.B), calculating a first message authentication identifier MacTag.sub.A=MAC(MK, MsgID1∥ID.sub.A∥ID.sub.B∥N.sub.A∥N.sub.B), comparing the calculated MacTag.sub.A with the received MacTag.sub.A, and stopping authentication if the calculated MacTag.sub.A is not equal to the received MacTag.sub.A; determining that an identity of the entity A is valid, calculating a second message authentication identifier MacTag.sub.B=MAC(MK, MsgID2∥ID.sub.B∥N.sub.A∥N.sub.B∥N.sub.A) and sending MacTag.sub.B to the entity A, if the calculated MacTag.sub.A is equal to the received MacTag.sub.A, where ID.sub.A is an identifier of the entity A, ID.sub.B is an identifier of the entity B, AuthEnc is an encryption authentication algorithm, EncData.sub.B is encryption data generated by the entity B, MAC.sub.B is an integrity authentication code generated by the entity B, KDF2 is a key derivation algorithm, MsgID1 and MsgID2 are message serial numbers, “⊕” indicates bitwise exclusive-OR, and MAC is a message authentication code generation algorithm.

15. The method according to claim 14, wherein the other authentication data AAD for calculating the first encryption authentication data AuthEncData.sub.B comprises protocol parameters and is set as AAD=SEP∥PID, where SEP is a security protocol parameter, PID is a protocol identifier, and SEP and PID conform to definitions of the Standard IS O/IEC 13157-1; and the initial vector IV for calculating the first encryption authentication data AuthEncData.sub.B is generated by the key derivation algorithm and is set as a low 96-bit value of a calculation result of KDF3(MKA,KEIA,N.sub.A,N.sub.B), where KDF3 is a key derivation algorithm.

16. The method according to claim 14, the performing decryption and verification on N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent by the entity A after N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A is received comprises: checking whether the received N.sub.A is equal to N.sub.A sent to the entity A, and authenticating as incorrect if the received N.sub.A is not equal to N.sub.A sent to the entity A; checking whether the received N.sub.B is equal to N.sub.B sent to the entity A, authenticating as incorrect if the received N.sub.B is not equal to N.sub.B sent to the entity A; and calculating EncData.sub.A∥MAC.sub.A in AuthEncData.sub.A by decrypting with N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.A∥MAC.sub.A=AuthDec.sub.KEIA(AAD,IV,AuthEncData.sub.A); determining whether the calculated MAC.sub.A is equal to MAC.sub.A in the received AuthEncData.sub.A, authenticating as incorrect if the calculated MAC.sub.A is not equal to the received MAC.sub.A; checking ID.sub.A and ID.sub.B obtained by decryption are the same as the identifiers of the entity A and the entity B, authenticating as incorrect if the obtained ID.sub.A and ID.sub.B are not the same as the identifiers of the entity A and the entity B; and checking whether N.sub.A and N.sub.B obtained by decryption are equal to N.sub.A and N.sub.B sent to the entity A, authenticating as incorrect if the obtained N.sub.A and N.sub.B are not equal to N.sub.A and N.sub.B sent to the entity A, wherein the received N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A is authenticated as incorrect if one of the above authentications has a negative result.

17. The method according to claim 2, wherein N.sub.A sent from the entity A to the entity B is transmitted after being encapsulated in an ACT_REQ protocol data unit, N.sub.B∥N.sub.A∥AuthEncData.sub.B sent from the entity B to the entity A is transmitted after being encapsulated in an ACT_RES protocol data unit, N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent from the entity A to the entity B is transmitted after being encapsulated in a VFY_REQ protocol data unit, and MacTag.sub.B sent from the entity B to the entity A is transmitted after being encapsulated in a VFY_RES protocol data unit, where ACT_REQ, ACT_RES, VFY_REQ and VFY_RES are protocol data unit formats conforming to definitions of the Standard IS O/IEC 13157-1.

18. The method according to claim 3, wherein N.sub.A sent from the entity A to the entity B is transmitted after being encapsulated in an ACT_REQ protocol data unit, N.sub.B∥N.sub.A∥AuthEncData.sub.B sent from the entity B to the entity A is transmitted after being encapsulated in an ACT_RES protocol data unit, N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent from the entity A to the entity B is transmitted after being encapsulated in a VFY_REQ protocol data unit, and MacTag.sub.B sent from the entity B to the entity A is transmitted after being encapsulated in a VFY_RES protocol data unit, where ACT_REQ, ACT_RES, VFY_REQ and VFY_RES are protocol data unit formats conforming to definitions of the Standard IS O/IEC 13157-1.

19. The method according to claim 4, wherein N.sub.A sent from the entity A to the entity B is transmitted after being encapsulated in an ACT_REQ protocol data unit, N.sub.B∥N.sub.A∥AuthEncData.sub.B sent from the entity B to the entity A is transmitted after being encapsulated in an ACT_RES protocol data unit, N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent from the entity A to the entity B is transmitted after being encapsulated in a VFY_REQ protocol data unit, and MacTag.sub.B sent from the entity B to the entity A is transmitted after being encapsulated in a VFY_RES protocol data unit, where ACT_REQ, ACT_RES, VFY_REQ and VFY_RES are protocol data unit formats conforming to definitions of the Standard IS O/IEC 13157-1.

20. The method according to claim 5, wherein N.sub.A sent from the entity A to the entity B is transmitted after being encapsulated in an ACT_REQ protocol data unit, N.sub.B∥N.sub.A∥AuthEncData.sub.B sent from the entity B to the entity A is transmitted after being encapsulated in an ACT_RES protocol data unit, N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent from the entity A to the entity B is transmitted after being encapsulated in a VFY_REQ protocol data unit, and MacTag.sub.B sent from the entity B to the entity A is transmitted after being encapsulated in a VFY_RES protocol data unit, where ACT_REQ, ACT_RES, VFY_REQ and VFY_RES are protocol data unit formats conforming to definitions of the Standard IS O/IEC 13157-1.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0044] FIG. 1 is a schematic diagram of an entity authentication system according to the present disclosure, where the entity authentication system includes an entity A and an entity B;

[0045] FIG. 2 is a flowchart of operations performed by the entity A according to the present disclosure;

[0046] FIG. 3 is a flow schematic diagram of operations performed by the entity B according to the present disclosure;

[0047] FIG. 4 is a schematic structural diagram of a device corresponding to the entity A according to the present disclosure; and

[0048] FIG. 5 is a schematic structural diagram of a device corresponding to the entity B according to the present disclosure.

DETAILED DESCRIPTION OF EMBODIMENTS

[0049] Referring to FIG. 1, an entity authentication method based on a pre-shared key is provided according to the present disclosure. When the method is implemented, an entity A and an entity B already share a Pre-Shared Key (PSK) and know each other's identifier, where an identifier of the entity A is ID.sub.A, and an identifier of the entity B is ID.sub.B. The method includes step 1 to step 8 in the following.

[0050] In step 1, the entity A generates a random number N.sub.A and sends the random number N.sub.A to the entity B.

[0051] In step 2, after N.sub.A is received, the entity B generates a random number ZSEED.sub.B functioning as a key seed and generates a random number N.sub.B, calculates a key MKA∥KEIA=KDF1(N.sub.A,N.sub.B,PSK,ID.sub.A,ID.sub.B), calculates first encryption authentication data AuthEncData.sub.B=EncData.sub.B∥MAC.sub.B=AuthEnc.sub.KEIA(AAD, IV, N.sub.B∥N.sub.A∥ID.sub.B∥ID.sub.A∥ZSEED.sub.B), and sends N.sub.B∥N.sub.A∥AuthEncData.sub.B to the entity A. AuthEncData.sub.B includes EncData.sub.B and MAC.sub.B and is generated by KEIA calculation. MKA is an authentication key, KEIA is a message encryption and integrity key, KDF1 is a key derivation algorithm. The key derivation algorithm in the present disclosure may be a Pseudo-Random Function-128 (PRF-128) or the like; AuthEnc is an encryption authentication algorithm, the encryption authentication algorithm in the present disclosure may be the Galois Counter Mode (GCM) or the like. EncData.sub.B is encryption data generated by the entity B, MAC.sub.B is an integrity authentication code generated by the entity B, AAD is other authentication data required by the encryption authentication calculation method, and IV is an initial vector. Here, “∥” indicates combination of fields, which does not limit an order of fields, throughout the disclosure. In addition, fields combined by “∥” may be considered as forming a “field group”. It should be noted that, the “field group” in the present disclosure is inclusive, that is, other than the fields included in the “field group”, other fields may also be included in the “field group”.

[0052] In step 3, the entity A performs decryption and verification on N.sub.B∥N.sub.A∥AuthEncData.sub.B after N.sub.B∥N.sub.A∥AuthEncData.sub.B is received; stops authentication if authenticating as incorrect; and performs subsequent steps if authenticating as correct.

[0053] In step 4, the entity A generates a random number ZSEED.sub.A functioning as a key seed, calculates second encryption authentication data AuthEncData.sub.A=EncData.sub.A∥MAC.sub.A=AuthEnc.sub.KEIA(AAD, IV, N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.A), calculates a shared key seed Z=ZSEED.sub.A⊕ZSEED.sub.B, calculates a master key MK=KDF2(N.sub.A,N.sub.B,Z,ID.sub.A,ID.sub.B), calculates a first message authentication identifier MacTag.sub.A=MAC(MK, MsgID1∥ID.sub.A∥ID.sub.B∥N.sub.A∥N.sub.B). AuthEncData.sub.A includes EncData.sub.A and MAC.sub.A and is generated by KEIA calculation. EncData.sub.A is encryption data generated by the entity A, MAC.sub.A is an integrity authentication code generated by the entity A. KDF2 is a key derivation algorithm, MsgID1 is a message serial number (which may be predetermined by the entity A and the entity B or may be obtained by interacting through a message between the entity A and the entity B), “⊕” indicates bitwise exclusive-OR, MAC is a message authentication code generation algorithm, and the message authentication code generation algorithm in the present disclosure may be Cipher-based Message Authentication Code (CMAC) or the like. The entity A sends N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A to the entity B.

[0054] In step 5, the entity B performs decryption and verification on N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A after N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A is received; stops authentication if authenticating as incorrect; and performs subsequent steps if authenticating as correct.

[0055] In step 6, the entity B calculates a shared key seed Z=ZSEED.sub.A⊕ZSEED.sub.B, calculates a master key MK=KDF2(N.sub.A,N.sub.B,Z,ID.sub.A,ID.sub.B), calculates a message authentication identifier MacTag.sub.A=MAC(MK, MsgID1∥ID.sub.A∥ID.sub.B∥N.sub.A∥N.sub.B) and compares the calculated MacTag.sub.A with the received MacTag.sub.A; stops authentication if the calculated MacTag.sub.A is not equal to the received MacTag.sub.A; and determines that an identity of the entity A is valid and performs subsequent steps if the calculated MacTag.sub.A is equal to the received MacTag.sub.A.

[0056] In step 7, the entity B calculates a message authentication identifier MacTag.sub.B=MAC(MK, MsgID2∥ID.sub.B∥ID.sub.A∥N.sub.B∥N.sub.A) and sends MacTag.sub.B to the entity A. MsgID2 is a message serial number (which may be predetermined by the entity A and the entity B or may be obtained by interacting through a message between the entity A and the entity B).

[0057] In step 8, after MacTag.sub.B is received, the entity A calculates a message authentication identifier MacTag.sub.B=MAC(MK, MsgID2∥ID.sub.B∥ID.sub.A∥N.sub.B∥N.sub.A) and compares the calculated MacTag.sub.B with the received MacTag.sub.B; and determines that an identify of the entity B is valid if the calculated MacTag.sub.B is equal to the received MacTag.sub.B.

[0058] In step 2, the other authentication data AAD for calculating the first encryption authentication data AuthEncData.sub.B includes protocol parameters and is set as AAD=SEP∥PID. SEP is a security protocol parameter, PID is a protocol identifier, and both SEP and the PID conform to definitions of the Standard ISO/IEC 13157-1.

[0059] The initial vector IV for calculating the first encryption authentication data AuthEncData.sub.B is generated by the key derivation algorithm and is set as a low 96-bit value of a calculation result of KDF3(MKA,KEIA,N.sub.A,N.sub.B), where KDF3 is a key derivation algorithm.

[0060] In step 3 described above, the performing decryption and verification on N.sub.B∥N.sub.A∥AuthEncData.sub.B by the entity A after N.sub.B∥N.sub.A∥AuthEncData.sub.B is received may include step 3.1 to step 3.3 in the following.

[0061] In step 3.1, the entity A checks whether the received N.sub.A is equal to N.sub.A sent to the entity B; and authenticates as incorrect if the received N.sub.A is not equal to N.sub.A sent to the entity B.

[0062] In step 3.2, the entity A calculates a key MKA∥KEIA=KDF1(N.sub.A,N.sub.B,PSK,ID.sub.A,ID.sub.B).

[0063] In step 3.3, the entity A calculates EncData.sub.B∥MAC.sub.B in AuthEncData.sub.B by decrypting with N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.B∥MAC.sub.B=AuthDec.sub.KEIA(AAD,IV,AuthEncData.sub.B); determines whether the calculated MAC.sub.B is equal to MAC.sub.B in the received AuthEncData.sub.B, authenticates as incorrect if the calculated MAC.sub.B is not equal to the received MAC.sub.B; checks whether ID.sub.A and ID.sub.B obtained by decryption are the same as the identifiers of the entity A and the entity B, authenticates as incorrect if the obtained ID.sub.A and ID.sub.B are not the same as the identifiers of the entity A and the entity B; checks whether N.sub.A obtained by decryption is equal to N.sub.A sent to the entity B, authenticates as incorrect if the obtained N.sub.A is not equal to N.sub.A sent to the entity B; and checks whether N.sub.B obtained by decryption is equal to N.sub.B in the received N.sub.B∥N.sub.A∥AuthEncData.sub.B, authenticates as incorrect if the obtained N.sub.B is not equal to the received N.sub.B. AuthEncData.sub.B includes EncData.sub.B and MAC.sub.B and is decrypted and authenticated through KEIA; AuthDec is a decryption authentication algorithm, the decryption authentication algorithm in the present disclosure may be the Galois Counter Mode (GCM) or the like; and the values of AAD and IV may be set using the same method as that used for setting the values of AAD and IV in step 2.

[0064] It should be noted that, the above verification steps are not necessarily performed in a strict order, and the N.sub.B∥N.sub.A∥AuthEncData.sub.B received by the entity A is authenticated as incorrect if none of the above authentication has a positive result.

[0065] In step 4 described above, the other authentication data AAD for calculating the second encryption authentication data AuthEncData.sub.A includes protocol parameters and is set as AAD=SEP∥PID, where SEP is a security protocol parameter, PID a protocol identifier, and both SEP and PID conform to definitions of the Standard ISO/IEC 13157-1.

[0066] The initial vector IV for calculating the second encryption authentication data AuthEncData.sub.A is generated by the key derivation algorithm and is set as a high 96-bit value of a calculation result of KDF3(MKA,KEIA,N.sub.A,N.sub.B), where KDF3 is a key derivation algorithm.

[0067] In step 5 described above, the performing decryption and verification on N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A by the entity B after N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A is received may include step 5.1 to step 5.3 in the following.

[0068] In step 5.1, the entity B checks whether the received N.sub.A is equal to N.sub.A sent to the entity A, and authenticates as incorrect if the received N.sub.A is not equal to N.sub.A sent to the entity A.

[0069] In step 5.2, the entity B checks whether the received N.sub.B is equal to N.sub.B sent to the entity A, and authenticates as incorrect if the received N.sub.B is not equal to N.sub.B sent to the entity A.

[0070] In step 5.3, the entity B calculates EncData.sub.A∥MAC.sub.A in AuthEncData.sub.A by decrypting with N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.A∥MAC.sub.A=AuthDec.sub.KEIA(AAD,IV,AuthEncData.sub.A); determines whether the calculated MAC.sub.A is equal to MAC.sub.A in the received AuthEncData.sub.A, authenticates as incorrect if the calculated MAC.sub.A is not equal to the received MAC.sub.A; checks whether ID.sub.A and ID.sub.B obtained by decryption are the same as the identifiers of the entity A and the entity B, authenticates as incorrect if the obtained ID.sub.A and ID.sub.B are not the same as the identifiers of the entity A and the entity B; checks whether N.sub.A and N.sub.B obtained by decryption are equal to N.sub.A and N.sub.B sent to the entity A, and authenticates as incorrect if the obtained N.sub.A and N.sub.B are not equal to N.sub.A and N.sub.B sent to the entity A. AuthEncData.sub.A includes EncData.sub.A and MAC.sub.A and is decrypted and authenticated through KEIA, AuthDec is a decryption authentication algorithm, and values of AAD and IV are set using the same method as that used for setting the values of AAD and IV in step 4.

[0071] It should be noted that, the above verification steps are not necessarily performed in a strict order, and N.sub.A∥N.sub.B∥EncData.sub.A∥MAC.sub.A∥MacTag.sub.A received by the entity B is authenticated as incorrect if one of the above authentications has a negative result.

[0072] Referring to FIG. 2, based on the entity authentication method described above, an operation method for an entity A for implementing the method described above is further provided according to the present disclosure, which includes step 10 to step 40 in the following.

[0073] In step 10, a random number N.sub.A is generated and N.sub.A is sent to an entity B.

[0074] In step 20, decryption and verification is performed on N.sub.B∥N.sub.A∥AuthEncData.sub.B sent by the entity B after N.sub.B∥N.sub.A∥AuthEncData.sub.B is received; authentication is stopped if authenticating as incorrect; and subsequent steps are performed if authenticating as correct.

[0075] In step 30, a random number ZSEED.sub.A functioning as a key seed is generated, second encryption authentication data AuthEncData.sub.A=EncData.sub.A∥MAC.sub.A=AuthEnc.sub.KEIA(AAD, IV, N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.A) is calculated, a shared key seed Z=ZSEED.sub.A⊕ZSEED.sub.B is calculated, a mater key MK=KDF2(N.sub.A,N.sub.B,Z,ID.sub.A,ID.sub.B) is calculated, a first message authentication identifier MacTag.sub.A=MAC(MK, MsgID1∥ID.sub.A∥ID.sub.B∥N.sub.A∥N.sub.B) is calculated, and N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A is sent to the entity B.

[0076] In step 40, after the second message authentication identifier MacTag.sub.B sent by the entity B is received, a second message authentication identifier MacTag.sub.B=MAC(MK, MsgID2∥ID.sub.B∥ID.sub.A∥N.sub.B∥N.sub.A) is calculated, and the calculated MacTag.sub.B is compared with the received MacTag.sub.B. It is determined that an identity of the entity B is valid if the calculated MacTag.sub.B is equal to the received MacTag.sub.B.

[0077] The performing decryption and verification on N.sub.B∥N.sub.A∥AuthEncData.sub.B sent by the entity B after N.sub.B∥N.sub.A∥AuthEncData.sub.B is received in step 20 described above may include step 21 to step 23 in the following.

[0078] In step 21, it is checked whether the received N.sub.A is equal to N.sub.A sent to the entity B, and it is authenticated as incorrect if the received N.sub.A is not equal to N.sub.A sent to the entity B.

[0079] In step 22, a key MKA∥KEIA=KDF1(N.sub.A,N.sub.B,PSK,ID.sub.A,ID.sub.B) is calculated.

[0080] In step 23, EncData.sub.B∥MAC.sub.B in the first encryption authentication data AuthEncData.sub.B is calculated by decrypting with N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.B∥MAC.sub.B=AuthDec.sub.KEIA(AAD,IV,AuthEncData.sub.B); it is determined whether the calculated MAC.sub.B is equal to MAC.sub.B in the received AuthEncData.sub.B, and it is authenticated as incorrect if the calculated MAC.sub.B is not equal to the received MAC.sub.B; it is checked whether ID.sub.A and ID.sub.B obtained by decryption are the same as identifiers of the entity A and the entity B, and it is authenticated as incorrect if the obtained ID.sub.A and ID.sub.B are not the same as the identifiers of the entity A and the entity B; it is checked whether N.sub.A obtained by decryption is equal to N.sub.A sent to the entity B, and it is authenticated as incorrect if the obtained N.sub.A is not equal to N.sub.A sent to the entity B; and it is checked whether N.sub.B obtained by decryption is equal to N.sub.B in the received N.sub.B∥N.sub.A∥AuthEncData.sub.B, and it is authenticated as incorrect if the obtained N.sub.B is not equal to N.sub.B in the received N.sub.B∥N.sub.A∥AuthEncData.sub.B. The first encryption authentication data AuthEncData.sub.B includes EncData.sub.B and MAC.sub.B and is decrypted and authenticated through by KEIA. The other authentication data AAD includes protocol parameters and is set as AAD=SEP∥PID, where SEP is a security protocol parameter, PID is a protocol identifier, and both SEP and PID conform to definitions of the Standard IS O/IEC 13157-1. The initial vector IV is generated by a key derivation algorithm and is set as a low 96-bity value of a calculation result of KDF3(MKA,KEIA,N.sub.A,N.sub.B), where KDF3 is a key derivation algorithm.

[0081] It should be noted that, the above verification steps are not necessarily performed in a strict order, and the received N.sub.B∥N.sub.A∥AuthEncData.sub.B is authenticated as incorrect if one of the above authentications has a negative result.

[0082] The second encryption authentication data AuthEncData.sub.A calculated in step 30 described above includes EncData.sub.A and MAC.sub.A and is generated by KEIA calculation. The other authentication data AAD includes protocol parameters and is set as AAD=SEP∥PID, where SEP is a security protocol parameter and PID is a protocol identifier, and both SEP and PID conform to definitions of the Standard ISO/IEC 13157-1. The initial vector IV is generated by a key derivation algorithm and is set as a high 96-bit value of a calculation result of KDF3(MKA,KEIA,N.sub.A,N.sub.B), where KDF3 is a key derivation algorithm.

[0083] Referring to FIG. 3, based on the above entity authentication method, an operation method for an entity B for implementing the method described above is further provided according to the present disclosure, which includes step 100 to step 300 in the following.

[0084] In step 100, after a random number N.sub.A sent by the entity A is received, the entity B generates a random number ZSEED.sub.B functioning as a key seed and a random number N.sub.B, calculates first encryption authentication data AuthEncData.sub.B=EncData.sub.B∥MAC.sub.B=AuthEnc.sub.KEIA(AAD, IV, N.sub.B∥N.sub.A∥ID.sub.B∥ID.sub.A∥ZSEED.sub.B), and the entity B sends N.sub.B∥N.sub.A∥AuthEncData.sub.B to the entity A.

[0085] In step 200, the entity B performs decryption and verification on N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A after N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent by the entity A is received; stops authentication if authenticating as incorrect; and performs subsequent steps if authenticating as correct.

[0086] In step 300, the entity B calculates a shared key seed Z=ZSEED.sub.A⊕ZSEED.sub.B, calculates a master key MK=KDF2(N.sub.A,N.sub.B,Z,ID.sub.A,ID.sub.B), calculates a message authentication identifier MacTag.sub.A=MAC(MK, MsgID1∥ID.sub.A∥ID.sub.B∥N.sub.A∥N.sub.B), and compares the calculated MacTag.sub.A with the received MacTag.sub.A; stops authentication if the calculated MacTag.sub.A is not equal to the received MacTag.sub.A; and determines that an identity of the entity A is valid, calculates a message authentication identifier MacTag.sub.B=MAC(MK, MsgID2∥ID.sub.B∥ID.sub.A∥N.sub.B∥N.sub.A), and sends MacTag.sub.B to the entity A, if the calculated MacTag.sub.A is equal to the received MacTag.sub.A.

[0087] Specifically, the calculating first encryption authentication data AuthEncData.sub.B described above may be performed as follows.

[0088] AuthEncData.sub.B includes EncData.sub.B and MAC.sub.B and is generated by KEIA calculation.

[0089] The other authentication data AAD includes protocol parameters and is set as AAD=SEP∥PID, where SEP is a security protocol parameter, PID is a protocol identifier, and both SEP and PID conform to definitions of the Standard ISO/IEC 13157-1.

[0090] The initial vector IV is generated by a key derivation algorithm and is set as a low 96-bit value of a calculation result of KDF3(MKA,KEIA,N.sub.A,N.sub.B), where KDF3 is a key derivation algorithm.

[0091] The performing decryption and verification on N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent by the entity A after N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A is received in step 200 described above may include step 201 to step 203 in the following.

[0092] In step 201, it is checked whether the received N.sub.A is equal to N.sub.A sent to the entity A; and it is authenticated as incorrect if the received N.sub.A is not equal to N.sub.A sent to the entity A.

[0093] In step 202, it is checked whether the received N.sub.B is equal to N.sub.B sent to the entity A; and it is authenticated as incorrect if the received N.sub.B is not equal to N.sub.B sent to the entity A.

[0094] In step 203, EncData.sub.A∥MAC.sub.A in AuthEncData.sub.A is calculated by decrypting with N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.A∥MAC.sub.A=AuthDec.sub.KEIA(AAD,IV,AuthEncData.sub.A); it is determined whether the calculated MAC.sub.A is equal to MAC.sub.A in the received AutheEncDataA, and it is authenticated as incorrect if the calculated MAC.sub.A is not equal to the received MAC.sub.A; it is checked whether ID.sub.A and ID.sub.B obtained by decryption are the same as identifiers of the entity A and the entity B, and it is authenticated as incorrect if the obtained ID.sub.A and ID.sub.B are not the same as the identifiers of the entity A and the entity B; and it is checked whether N.sub.A and N.sub.B obtained by decryption are equal to N.sub.A and N.sub.B sent to the entity A, and it is authenticated as incorrect if the obtained N.sub.A and N.sub.B are not equal to N.sub.A and N.sub.B sent to the entity A. AuthEncData.sub.A includes EncData.sub.A and MAC.sub.A and is decrypted and authenticated through KEIA. The other authentication data AAD includes protocol parameters and is set as AAD=SEP∥PID, where SEP is a security protocol parameter, PID is a protocol identifier, and both SEP and PID conform to definitions of the Standard ISO/IEC 13157-1; the initial vector IV is generated by a key derivation algorithm and is set as a high 96-bit value of a calculation result of KDF3(MKA,KEIA,N.sub.A,N.sub.B), where KDF3 is a key derivation algorithm.

[0095] It should be noted that, the above verification steps are not necessarily performed in a strict order, and the received N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A is authenticated as incorrect if one of the above authentications has a negative result.

[0096] Referring to FIG. 4, based on the entity authentication method described above, a device corresponding to an entity A for implementing the method described above is further provided according to the present disclosure. The device includes a storing unit 11, a processing unit 12 and a transceiver unit 13.

[0097] The storing unit 11 is configured to store a pre-shared key PSK with another device and an identifiers ID.sub.B of the another device; and the transceiver unit is configured to send a random number N.sub.A to the another device and receive N.sub.B∥N.sub.A∥AuthEncData.sub.B sent by the another device.

[0098] The transceiver unit 13 is further configured to send N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A to the another device and receive a second message authentication identifier MacTag.sub.B sent by the another device.

[0099] The processing unit 12 is configured to generate a random number N.sub.A.

[0100] The processing unit 12 is further configured to perform decryption and verification on N.sub.B∥N.sub.A∥AuthEncData.sub.B sent by the another device.

[0101] The processing unit 12 is further configured to generate a random number ZSEED.sub.A functioning as a key seed, calculate second encryption authentication data AuthEncData.sub.A=EncData.sub.A∥MAC.sub.A=AuthEnc.sub.KEIA(AAD, IV, N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.A), calculate a shared key seed Z=ZSEED.sub.A⊕ZSEED.sub.B, calculate a master key MK=KDF2(N.sub.A,N.sub.B,Z,ID.sub.A,ID.sub.B), calculate a first message authentication identifier MacTag.sub.A=MAC(MK, MsgID1∥ID.sub.A∥ID.sub.B∥N.sub.A∥N.sub.B) and generate N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A. AuthEnc is an encryption authentication algorithm, EncData.sub.A is encryption data generated by the device, MAC.sub.A is an integrity authentication code generated by the device, AAD is other authentication data required by the encryption authentication algorithm, IV is an initial vector, ID.sub.A is an identifier of the device, ID.sub.B is an identifier of the another device, KDF2 is a key derivation algorithm, MsgID1 is a message serial number, MAC is a message authentication code generation algorithm, and “⊕” indicates bitwise exclusive-OR.

[0102] The processing unit 12 is further configured to calculate a second message authentication identifier MacTag.sub.B=MAC(MK, MsgID2∥ID.sub.B∥ID.sub.A∥N.sub.B∥N.sub.A), compare the calculated MacTag.sub.B with MacTag.sub.B sent by the another device, and determine that an identity of the another device is valid if the calculated MacTag.sub.B is equal to MacTag.sub.B sent by the another device.

[0103] The processing unit 12 may be further configured to perform decryption and verification on N.sub.B∥N.sub.A∥AuthEncData.sub.B sent by the another device as follows.

[0104] the processing unit 12 is configured to check whether the received N.sub.A is equal to N.sub.A sent to the another device; and authenticate as incorrect if the received N.sub.A is not equal to N.sub.A sent to the another device;

[0105] the processing unit 12 is configured to calculate a key MKA∥KEIA=KDF1(N.sub.A,N.sub.B,PSK,ID.sub.A,ID.sub.B) the processing unit 12 is configured to calculate EncData.sub.B∥MAC.sub.B in AuthEncData.sub.B by decrypting with N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.B∥MAC.sub.B=AuthDec.sub.KEIA(AAD,IV,AuthEncData.sub.B); determine whether the calculated MAC.sub.B is equal to MAC.sub.B in the received AuthEncData.sub.B, and authenticate as incorrect if the calculated MAC.sub.B is not equal to MAC.sub.B in the received AuthEncData.sub.B; check whether ID.sub.A and ID.sub.B obtained by decryption are the same as identifiers of the device and the another device, authenticate as incorrect if the obtained ID.sub.A and ID.sub.B are not the same as the identifiers of the device and the another device; check whether N.sub.A obtained by decryption is equal to N.sub.A sent to the another device, authenticate as incorrect if the obtained N.sub.A is not equal to N.sub.A sent to the another device; and check whether N.sub.B obtained by decryption is equal to N.sub.B in N.sub.B∥N.sub.A∥AuthEncData.sub.B, and authenticate as incorrect if the obtained N.sub.B is not equal to N.sub.B in N.sub.B∥N.sub.A∥AuthEncData.sub.B, where AuthDec is a decryption authentication algorithm.

[0106] It should be noted that, the above verification steps are not necessarily performed in a strict order, and N.sub.B∥N.sub.A∥AuthEncData.sub.B sent by the another device is authenticated as incorrect if one of the above authentications has a negative result.

[0107] The processing unit 12 is further configured to calculate encryption authentication data AuthEncData.sub.A, where AuthEncData.sub.A includes EncData.sub.A and MAC.sub.A and is generated by KEIA calculation.

[0108] The other authentication data AAD includes protocol parameters, and the processing unit 12 sets AAD as AAD=SEP∥PID, where both SEP and PID conform to definitions of the ISO/IEC 13157-1.

[0109] The initial vector IV is generated by a key derivation algorithm, and the processing unit 12 sets the initial vector IV as a high 96-bit value of a calculation result of KDF3(MKA,KEIA,N.sub.A,N.sub.B), where KDF3 is a key derivation algorithm.

[0110] Referring to FIG. 5, based on the authentication method described above, a device corresponding to an entity B for implementing the method described above is further provided according to the present disclosure. The device includes a storing unit 21, a processing unit 22 and a transceiver unit 23.

[0111] The storing unit 21 is configured to store a pre-shared key PSK with another device and an identifiers ID.sub.A of the another device.

[0112] The transceiver unit 23 is configured to receive a random number N.sub.A sent by the another device.

[0113] The transceiver unit 23 is further configured to send N.sub.B∥N.sub.A∥AuthEncData.sub.B to the another device and receive N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent by the another device.

[0114] The transceiver unit 23 is further configured to send a second message authentication identifier MacTag.sub.B to the another device.

[0115] The processing unit 22 is configured to generate a random number ZSEED.sub.B functioning as a key seed and a random number N.sub.B, calculate a key MKA∥KEIA=KDF1(N.sub.A,N.sub.B,PSK,ID.sub.A,ID.sub.B), calculate first encryption authentication data AuthEncData.sub.B=EncData.sub.B∥MAC.sub.B=AuthEnc.sub.KEIA(AAD, IV, N.sub.B∥N.sub.A∥ID.sub.B∥ID.sub.A∥ZSEED.sub.B), and generate N.sub.B∥N.sub.A∥AuthEncData.sub.B. In which, MKA is an authentication key, KEIA is a message encryption and integrity key, KDF1 is a key derivation algorithm, ID.sub.B is an identifier of the device, ID.sub.A is an identifier of the another device, AuthEnc is an encryption authentication algorithm, EncData.sub.B is encryption data generated by the device, MAC.sub.B is an integrity authentication code generated by the device, AAD is other authentication data required by the encryption authentication algorithm, and IV is an initial vector.

[0116] The processing unit 22 is further configured to perform decryption and verification on N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent by the another device.

[0117] The processing unit 22 is further configured to calculate a shared key seed Z=ZSEED.sub.A⊕ZSEED.sub.B, calculate a master key MK=KDF2(N.sub.A,N.sub.B,Z,ID.sub.A,ID.sub.B), calculate a first message authentication identifier MacTag.sub.A=MAC(MK, MsgID1∥ID.sub.A∥ID.sub.B∥N.sub.A∥N.sub.B), and compare the calculated MacTag.sub.A with the received MacTag.sub.A; stop authentication if the calculated MacTag.sub.A is not equal to the received MacTag.sub.A; and determine that an identifier of the another device is valid and calculate a second message authentication identifier MacTag.sub.B=MAC(MK, MsgID2∥ID.sub.B∥ID.sub.A∥N.sub.B∥N.sub.A) if the calculated MacTag.sub.A is equal to the received MacTag.sub.A.

[0118] The processing unit 22 is further configured to perform decryption and verification on N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent by the another device as follows.

[0119] The processing unit 22 is configured to check whether the received N.sub.A is equal to N.sub.A sent to the another device; and authenticate as incorrect if the received N.sub.A is not equal to N.sub.A sent to the another device.

[0120] The processing unit 22 is configured to check whether the received N.sub.B is equal to N.sub.B sent to the another device; and authenticate as incorrect if the received N.sub.B is not equal to N.sub.B sent to the another device.

[0121] The processing unit 22 is configured to calculate EncData.sub.A∥MAC.sub.A in AuthEncData.sub.A by decrypting with N.sub.A∥N.sub.B∥ID.sub.A∥ID.sub.B∥ZSEED.sub.A∥MAC.sub.A=AuthDec.sub.KEIA(AAD,IV,AuthEncData.sub.A); determine whether the calculated MAC.sub.A is equal to MAC.sub.B in AuthEncData.sub.A, authenticate as incorrect if the calculated MAC.sub.B is not equal to the received MAC.sub.B; check whether ID.sub.A and ID.sub.B obtained by decryption are the same as identifiers of the another device and the device, authenticate as incorrect if the obtained ID.sub.A and ID.sub.B are not the same as the identifiers of the another device and the device; check whether N.sub.A and N.sub.B obtained by decryption are equal to N.sub.A and N.sub.B sent to the another device, and authenticate as incorrect if the obtained N.sub.A and N.sub.B are not equal to N.sub.A and N.sub.B sent to the another device.

[0122] It should be noted that, the above verification steps are not necessarily performed in a strict order, and N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent by the another device is authenticated as incorrect if one of the above authentications has a negative result.

[0123] AuthEncData.sub.B includes EncData.sub.B and MAC.sub.B and is decrypted and authenticated through KEIA. The other authentication data AAD includes protocol parameters and is set as AAD=SEP∥PID, where SEP and PID conform to definitions of the Standard ISO/IEC 13157-1; and the initial vector IV is generated by a key derivation algorithm and is set as a low 96-bit value of a calculation result of KDF3(MKA,KEIA,N.sub.A,N.sub.B), where KDF3 is a key derivation algorithm.

[0124] FIG. 4 and FIG. 5 describe the devices corresponding to the entity A and the entity B, and the description of the devices corresponding to the entity authentication method according to the present disclosure is not repeated here.

[0125] In summary, in the present disclosure, identity authentication between the entities having a key negotiation function is implemented based on the symmetric cipher algorithm, and which may be applied widely. For example, the technical solution of the present disclosure may be adapted to fields of communication based on an air interface, such as radio frequency identification RFID, a sensor network WSN, near field communication NFC, a non-contact card and a wireless local area network WLAN. The entity A and the entity B may be a reader/writer and a label in the RFID field, a node in the sensor network, a terminal apparatus in the NFC field, a card reader and a card in the technical field of the non-contact card, and a terminal and an access point in the wireless local area network, or the like.

[0126] In addition, in a preferred embodiment of the present disclosure, when the technical solution of the present disclosure is applied to an NFC field, N.sub.A sent from the entity A to the entity B is transmitted after being encapsulated in an ACT_REQ protocol data unit, N.sub.B∥N.sub.A∥AuthEncData.sub.B sent from the entity B to the entity A is transmitted after being encapsulated in an ACT_RES protocol data unit, N.sub.A∥N.sub.B∥AuthEncData.sub.A∥MacTag.sub.A sent from the entity A to the entity B is transmitted after being encapsulated in a VFY_REQ protocol data unit, and MacTag.sub.B sent from the entity B to the entity A is transmitted after being encapsulated in a VFY_RES protocol data unit, where ACT_REQ, ACT_RES, VFY_REQ and VFY_RES are protocol data unit formats conforming to definitions of the Standard ISO/IEC 13157-1. By encapsulating in this way, the technical solutions of the present disclosure are more compatible with other existing security mechanisms of the NFC.

[0127] It should be understood by those skilled in the art that the embodiments of the present disclosure may be implemented as a method, a system or a computer program product. Therefore, the present disclosure may be implemented by only hardware embodiments, only software embodiments or embodiments combining software with hardware. Alternatively, the present disclosure may be implemented as computer program products implemented on one or more computer available storage mediums (including but not limited to a magnetic disk memory, CD-ROM and an optical memory or the like) including computer readable program codes.

[0128] The present disclosure is described with reference to flowcharts and/or block diagrams of the methods, apparatus (systems) and computer program products according to the present disclosure. It should be understood that, each flow and/or block in the flowcharts and/or block diagrams and a combination of flows and/or blocks in the flowcharts and/or block diagrams may be implemented by computer program instructions. The computer program instructions may be provided to a general-purpose computer, a dedicated computer, an embedded processor or processors of other programmable data processing apparatus to generate a machine, such that the instructions executed by the computer or the processors of the other programmable data processing apparatus generate a device for implementing functions specified in one or more flows of the flowcharts and/or one or more blocks of the block diagrams.

[0129] The computer program instructions may also be stored in a computer readable memory which can guide the computer or other programmable data processing apparatus to operate in a certain manner, such that the instructions stored in the computer readable memory generate a product including an instruction device which implements functions specified in one or more flows of the flowcharts and/or one or more blocks of the block diagrams.

[0130] The computer program instructions may also be loaded to the computer or other programmable data processing apparatus, such that the computer or other programmable apparatus perform a series of operation steps to generate processing implemented by the computer, and thus the instructions executed on the computer or other programmable apparatus provide steps for implementing the functions specified in one or more flows of the flowcharts and/or one or more blocks of the block diagrams.

[0131] Although the preferred embodiments of the present disclosure are described, those skilled in the art may make additional changes and modifications to the embodiments once they know the basic inventive concepts. Therefore, the appended claims are intended to be explained as including the preferred embodiments and all changes and modifications falling within the scope of the present disclosure.

[0132] Apparently, those skilled in the art may make various changes and variations to the present disclosure without departing from the spirit and scope of the present disclosure. In this case, if the changes and variations of the present disclosure fall within the scope of the claims of the present disclosure and equivalent technologies thereof, the present disclosure is intended to include the changes and variations.