CN110753023A

CN110753023A - Equipment authentication method, equipment access method and device

Info

Publication number: CN110753023A
Application number: CN201810821751.8A
Authority: CN
Inventors: 吴总路
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2018-07-24
Filing date: 2018-07-24
Publication date: 2020-02-04
Anticipated expiration: 2038-07-24
Also published as: CN110753023B

Abstract

The embodiment of the application provides a device authentication method, a device access method and a device, wherein the device authentication method comprises the following steps: sending a device authentication information synchronization request to a server; receiving equipment authentication information returned by the server; receiving an identity authentication request sent by a user, wherein the identity authentication request comprises user authentication information, and the user authentication information is generated by receiving user information returned by the server after the user sends a user information request to the server; and authenticating the user by adopting the equipment authentication information and the user authentication information. In the embodiment of the application, after the equipment synchronizes the equipment authentication information, the equipment authentication information and the user authentication information are adopted to authenticate the user, and the equipment receives the access of the local area network user after successful authentication, so that the problem of security holes caused by the fact that the local area network user does not perform identity authentication can be avoided, and the identity authentication of the equipment to the user and the security sharing of the equipment of the Internet of things are realized.

Description

Equipment authentication method, equipment access method and device

Technical Field

The present application relates to the field of communications technologies, and in particular, to an apparatus authentication method, an apparatus access method, and a corresponding apparatus authentication device and an apparatus access device.

Background

With the development of the technology of the internet of things, the internet of things is widely applied. The internet of things can comprise a server, a gateway and internet of things equipment, and the internet of things equipment is connected with the server through the gateway.

The internet of things equipment can be equipment with a communication function and comprising various sensors, and the internet of things equipment assists multiple functions of data acquisition, preliminary processing, encryption, transmission and the like of the internet of things. For the internet of things equipment, besides the internet of things equipment manager, other users can be authorized to use the internet of things equipment, and sharing of the internet of things equipment is achieved. At present, the sharing of the Internet of things equipment can be realized through the following two modes, namely accessing the Internet of things equipment through a server and accessing the Internet of things equipment through a local area network where the Internet of things equipment is located. However, the following problems exist in accessing the internet of things device through the above two ways:

(1) the internet of things equipment and the server cannot be connected for 24 hours, so that a user cannot access the internet of things equipment through the server when the internet of things equipment and the server are disconnected;

(2) when accessing the Internet of things equipment through the local area network, the Internet of things equipment does not perform identity authentication on an access user or needs to store identity authentication information of the user in advance;

(3) when the internet of things equipment is offline, user identity authentication information cannot be added to the internet of things equipment.

Disclosure of Invention

In view of the above problems, embodiments of the present application are proposed to provide a device authentication method, a device access method, and a device authentication apparatus, a device access apparatus that overcome or at least partially solve the above problems.

In order to solve the above problem, an embodiment of the present application discloses an apparatus authentication method, where the method includes:

sending a device authentication information synchronization request to a server;

receiving equipment authentication information returned by the server;

receiving an identity authentication request sent by a user, wherein the identity authentication request comprises user authentication information, and the user authentication information is generated by receiving user information returned by the server after the user sends a user information request to the server;

and authenticating the user by adopting the equipment authentication information and the user authentication information.

Optionally, the device authentication information includes a device identifier, a device key, and an revocation list.

Optionally, after the step of receiving the device authentication information returned by the server, the method further includes:

encrypting the device key;

and storing the equipment identifier, the encrypted equipment key and the revocation list.

Optionally, the user information includes a user identity and a user access token, and the user authentication information is generated by:

generating a first random string;

calculating the first random character string and the user access token by adopting a first preset abstract algorithm to obtain a user signature value;

and determining the user identity, the first random character string and the user signature value as the user authentication information.

Optionally, the step of authenticating the user by using the device authentication information and the user authentication information includes:

judging whether the user identity is legal or not;

if the user identity identification is legal, calculating the user identity identification and the equipment secret key by adopting a second preset abstract algorithm to generate an equipment access token, wherein the second preset abstract algorithm is an algorithm for creating the user access token when the server receives a user information request sent by the user;

calculating the equipment access token and the first random character string by adopting the first preset abstract algorithm to obtain an equipment signature value;

and if the device signature value is consistent with the user signature value, determining that the authentication is successful.

Optionally, the step of checking whether the user identity is legal includes:

checking whether the user identification exists in the revoke list and/or checking whether the user identification is matched with the equipment identification;

if the user identity does not exist in the revoke list and is matched with the equipment identity, determining that the user identity is legal;

and if the user identification exists in the revoke list or the user identification is not matched with the equipment identification, determining that the user identification is illegal.

Optionally, the method further comprises:

when receiving the equipment identifier generated by the server push, emptying the revoke list;

and when the received server pushed revoke list is received, replacing the locally stored revoke list with the received revoke list.

receiving a device authentication information synchronization request sent by a device;

acquiring equipment authentication information of the equipment;

sending the device authentication information to the device;

when a request of adding a user is received, a device manager adds the device to a device access list of the user;

when a user information request which is sent by a user and aims at the equipment is received, acquiring the user information of the user;

and sending the user information to the user, wherein the user is used for generating user authentication information according to the user information, and the equipment is used for authenticating the user according to the equipment authentication information and the user authentication information.

Optionally, the device authentication information includes a device identifier, a device key, and a revocation list, and the step of obtaining the device authentication information of the device includes:

searching whether the equipment identification of the equipment exists;

if the equipment identifier exists, acquiring the equipment identifier, an equipment key and an expense list;

if the device identity of the device does not exist, generating the device identity, a device key, and an affiliation list.

Optionally, the user information includes a user identity and a user access token, and the step of obtaining the user information of the user includes:

if the user identity of the user exists, when the user identity is matched with the equipment label, the user identity and a corresponding user access token are obtained;

and if the user identity of the user does not exist or the user identity is not matched with the equipment identity, creating the user identity and generating a user access token by adopting a preset abstract algorithm.

Optionally, the step of creating the user identity and generating the user access token by using a preset digest algorithm includes:

generating a second random string;

encoding the equipment identifier and the second random character string to obtain the user identity identifier;

and calculating the user identity identifier and the equipment secret key by adopting a preset abstract algorithm to obtain the user access token.

Optionally, the method further comprises:

deleting the device from a device access list of the user when a request for canceling the user is sent by a manager of the device is received;

adding a user identity of a user into a preset revoke list;

if the length of the suspension pin list is smaller than a preset value, the suspension pin list is sent to the equipment, and the equipment is used for replacing the suspension pin list stored locally according to the received suspension pin list;

emptying the suspension pin list if the length of the suspension pin list is greater than or equal to a preset value;

regenerating the device identification;

and sending the regenerated equipment identification to the equipment, and emptying the locally stored revoke list when the equipment receives the regenerated equipment identification.

Optionally, the user identity includes an equipment identity and the second random character string, and the step of adding the user identity of the user to the preset revoke list includes:

adding the user identity or a second random string to the revocation list.

In order to solve the above problem, an embodiment of the present application discloses a device access method, where the method includes:

when an access request sent by a user is received, authenticating the user; if the authentication is successful, accepting the access of the user;

wherein authenticating the user comprises:

receiving equipment authentication information returned by the server;

In order to solve the above problem, an embodiment of the present application discloses an apparatus for authenticating a device, where the apparatus includes:

the synchronous request sending module is used for sending a device authentication information synchronous request to the server;

the equipment authentication information receiving module is used for receiving the equipment authentication information returned by the server;

the identity authentication request receiving module is used for receiving an identity authentication request sent by a user, wherein the identity authentication request comprises user authentication information, and the user authentication information is information generated by user information returned by the server after the user sends a user information request to the server;

and the authentication module is used for authenticating the user by adopting the equipment authentication information and the user authentication information.

Optionally, the method further comprises:

the encryption module is used for encrypting the equipment secret key;

and the storage module is used for storing the equipment identifier, the encrypted equipment key and the revocation list.

the first random character string generating module is used for generating a first random character string;

the user signature value calculation module is used for calculating the first random character string and the user access token by adopting a first preset abstract algorithm to obtain a user signature value;

and the user authentication information determining module is used for determining the user identity identifier, the first random character string and the user signature value as the user authentication information.

Optionally, the authentication module comprises:

the legal judgment submodule is used for judging whether the user identity is legal or not;

the equipment access token generation submodule is used for calculating the user identity identifier and the equipment key by adopting a second preset digest algorithm to generate an equipment access token if the user identity identifier is legal, wherein the second preset digest algorithm is an algorithm for creating the user access token when the server receives a user information request sent by the user;

the device signature value operator module is used for calculating the device access token and the first random character string by adopting the first preset abstract algorithm to obtain a device signature value;

and the authentication success determining submodule is used for determining that the authentication is successful if the device signature value is consistent with the user signature value.

Optionally, the legality determining sub-module includes:

a user ID checking unit for checking whether the user ID exists in the revoke list,

and/or

A user identity matching unit for checking whether the user identity matches the device identity;

a legality determining unit, configured to determine that the user identity is legal if the user identity does not exist in the revoke list and the user identity matches the device identity;

and the illegal determining unit is used for determining that the user identity is illegal if the user identity exists in the revoke list or the user identity is not matched with the equipment identity.

Optionally, the apparatus further comprises:

the revoke list emptying module is used for emptying the revoke list when receiving the equipment identifier generated again by the server pushing;

and the revoke list replacing module is used for replacing the locally stored revoke list with the received revoke list when the revoke list pushed by the server is received.

a synchronization request receiving module, configured to receive a device authentication information synchronization request sent by a device;

the equipment authentication information acquisition module is used for acquiring equipment authentication information of the equipment;

the equipment authentication information sending module is used for sending the equipment authentication information to the equipment;

the device adding module is used for adding the device to a device access list of the user when a request of adding the user is sent by a device manager is received;

the user information acquisition module is used for acquiring the user information of the user when receiving a user information request aiming at the equipment and sent by the user;

and the user information sending module is used for sending the user information to the user, the user is used for generating user authentication information according to the user information, and the equipment is used for authenticating the user according to the equipment authentication information and the user authentication information.

Optionally, the device authentication information includes a device identifier, a device key, and a revocation list, and the device authentication information obtaining module includes:

the device identifier searching submodule is used for searching whether the device identifier of the device exists or not;

the equipment authentication information acquisition submodule is used for acquiring the equipment identifier, the equipment key and the revoke list if the equipment identifier exists;

and the equipment authentication information generation sub-module is used for generating the equipment identifier, the equipment key and the revocation list if the equipment identifier of the equipment does not exist.

Optionally, the user information includes a user identity and a user access token, and the user information obtaining module includes:

the user information acquisition submodule is used for acquiring the user identity and a corresponding user access token thereof when the user identity is matched with the equipment label if the user identity of the user exists;

and the user information creating submodule is used for creating the user identity and generating a user access token by adopting a preset abstract algorithm if the user identity of the user does not exist or is not matched with the equipment identity.

Optionally, the user information creating sub-module includes:

a second random character string generation unit configured to generate a second random character string;

a user identity generating unit, configured to encode the device identifier and the second random character string to obtain the user identity;

and the user access token calculation unit is used for calculating the user identity identifier and the equipment secret key by adopting a preset abstract algorithm to obtain the user access token.

Optionally, the apparatus further comprises:

a delete device module configured to delete the device from a device access list of the user when receiving a request for canceling the user sent by a manager of the device;

the revoke list adding module is used for adding the user identity identification of the user into a preset revoke list;

the device comprises a hoisting pin list sending module, a hoisting pin list receiving module and a hoisting pin list sending module, wherein the hoisting pin list sending module is used for sending the hoisting pin list to the device if the length of the hoisting pin list is smaller than a preset value, and the device is used for replacing a locally stored hoisting pin list of the device according to the received hoisting pin list;

the hoisting pin list emptying module is used for emptying the hoisting pin list if the length of the hoisting pin list is greater than or equal to a preset value;

the device identifier generating module is used for regenerating the device identifier;

and the equipment identifier sending module is used for sending the regenerated equipment identifier to the equipment, and the equipment empties the locally stored revoke list when receiving the regenerated equipment identifier.

Optionally, the user identity includes an equipment identity and the second random character string, and the revoke list adding module includes:

and the revoke list adding submodule is used for adding the user identity or the second random character string into the revoke list.

In order to solve the above problem, an embodiment of the present application discloses an apparatus for accessing a device, where the apparatus includes:

the authentication module is used for authenticating the user when receiving an access request sent by the user;

the access accepting module is used for accepting the access of the user if the authentication is successful;

wherein the authentication module comprises:

the synchronous request sending submodule is used for sending a device authentication information synchronous request to the server;

the equipment authentication information receiving submodule is used for receiving the equipment authentication information returned by the server;

the identity authentication request receiving submodule is used for receiving an identity authentication request sent by a user, wherein the identity authentication request comprises user authentication information, and the user authentication information is information generated by user information returned by the server after the user sends a user information request to the server;

and the authentication sub-module authenticates the user by adopting the equipment authentication information and the user authentication information.

In order to solve the above problem, an embodiment of the present application discloses an apparatus, including: one or more processors; and one or more machine readable media having instructions stored thereon, which when executed by the one or more processors, cause the apparatus to perform the device authentication method and the device access method disclosed in embodiments of the present application.

To solve the above-mentioned problems, embodiments of the present application disclose one or more machine-readable media having instructions stored thereon, which when executed by one or more processors, cause an apparatus to perform a device authentication method and a device access method disclosed in embodiments of the present application.

The embodiment of the application has the following advantages:

in the embodiment of the application, equipment sends an equipment authentication information synchronization request to a server, after equipment authentication information returned by the server is received, when an identity authentication request sent by a user is received, the user is authenticated by adopting the equipment authentication information and user authentication information in the identity authentication request, and the user authentication information is information generated by the user information returned by the server after the user sends the user information request to the server; if the authentication is successful, the access of the user is accepted, in the embodiment of the application, after the equipment synchronizes the equipment authentication information, the equipment authentication information and the user authentication information are adopted to authenticate the user, and if the authentication is successful, the equipment accepts the access of the local area network user, so that the problem of security holes caused by the fact that the local area network user does not perform identity authentication can be avoided, and the identity authentication of the local area network access user by the equipment and the secure sharing of the Internet of things equipment are realized.

In the embodiment of the application, the device manager can directly add and cancel the access right of the user to the server for the device, is irrelevant to whether the device is online or not, can add and cancel the access right of the user to the device when the device is offline, simultaneously avoids the problem that the user cannot be added to the device due to limited storage capacity of the device when the user is added to the device, and can add the user to the device without limit on the server.

In the embodiment of the application, the server maintains the revoke list of the equipment, and after receiving the request of the equipment manager for canceling the user, the server adds the user identity identifier into the revoke list, so that the equipment manager can cancel the authority of the user for accessing the equipment conveniently.

Drawings

Fig. 1 is a flowchart of steps of an embodiment 1 of a device authentication method of the present application;

fig. 2 is a flowchart of the steps of an embodiment 2 of a device authentication method of the present application;

FIG. 3 is an interaction flow diagram of an example of a method of device authentication of the present application;

FIG. 4 is a flow chart of steps of an embodiment of a device access method of the present application;

fig. 5 is a block diagram of a device authentication apparatus according to embodiment 1 of the present application;

fig. 6 is a block diagram of a device authentication apparatus according to embodiment 2 of the present application;

fig. 7 is a block diagram of an embodiment of a device access apparatus according to the present application.

Detailed Description

In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.

Referring to fig. 1, a flowchart of steps of an apparatus authentication method embodiment 1 of the present application is shown, where the apparatus authentication method of the embodiment of the present application may be applied to an apparatus side, and specifically may include the following steps:

step 101, sending a device authentication information synchronization request to a server.

In this embodiment, the device may be an internet of things device, and the internet of things device may include a sensor device, for example, a radio frequency identification device, an infrared sensor, an environmental sensor, a global positioning system, a PDA handheld terminal, an RFID reader, and the like. The sensor equipment collects data, processes the data through the central processing module, and sends the data to an appointed central processing platform of the internet through an external communication interface such as a GPRS module, a LoRa module, an Ethernet interface, WIFI and the like according to a network protocol.

In practical application, the internet of things equipment can be connected with the server through the gateway, for example, in the LoRa internet of things, a plurality of LoRa equipment can be connected with the LoRa gateway through the LoRa module, the LoRa gateway is connected with the server, then a plurality of LoRa equipment and the LoRa gateway can constitute local area network, and the LoRa gateway and the server can constitute the internet.

After the device is connected to the server, a device authentication information synchronization request may be sent to the server to synchronize the device authentication information, specifically, the device authentication information synchronization request may be sent to the server immediately after the device is successfully connected to the server, or the device authentication information synchronization request may be sent to the server according to a preset period or at a preset time, or of course, the device administrator may manually trigger the device to send the device authentication information synchronization request.

And 102, receiving the equipment authentication information returned by the server.

In this embodiment, the server may maintain an equipment identifier, an equipment key, and an revocation list for each piece of equipment connected thereto, and regenerate a new equipment identifier and an equipment key after clearing the revocation list of the equipment each time. In the embodiment of the present application, the device identifier, the device key, and the revocation list may be used as the device authentication information of the device. The device identification can be a random character string generated by the server and does not need to be encrypted; the device key may be a random string generated by the server and paired with the device identifier, the server and the device store the random string and need to be encrypted, the revocation list may be a list of users who have access permission cancelled, and the device may deny the users in the revocation list from accessing the device through a local area network where the device is located.

After receiving an equipment authentication information synchronization request sent by equipment, a server can firstly judge whether the equipment identifier of the equipment exists or not, if so, the server obtains the equipment identifier, an equipment key and an expense list corresponding to the equipment identifier, if not, the server creates the equipment identifier, the equipment key and the expense list corresponding to the equipment identifier for the equipment, and then, the server returns the equipment authentication information to the equipment by taking the equipment identifier, the equipment key and the expense list as the equipment authentication information of the equipment.

In this embodiment of the application, after receiving the device authentication information, the device may further encrypt a device key therein, and store the device identifier, the encrypted device key, and the revocation list. The equipment key is encrypted, so that the problem of potential safety hazard caused by equipment key leakage can be avoided.

Step 103, receiving an identity authentication request sent by a user, where the identity authentication request includes user authentication information, and the user authentication information is information generated by user information returned by the server after the user sends a user information request to the server.

The device manager may add a user that can access the device for the device, that is, add a sharing user for the device, for example, the device manager generates a sharing two-dimensional code and displays the sharing two-dimensional code to other users, and other users that need to access the device may scan the two-dimensional code to send a request of adding the user to the server, or the device manager directly inputs user information to add the user request to the server. After receiving the user adding request from the device manager, the server may add the device to the device access list of the user, and may generate user information such as a user identity and a user access token for the user.

When a user sends user information of a user access device to a server, the server first checks whether a user identity of the user exists or is valid, and the valid may refer to whether the user identity is in a revocation list. And if the user identity identification exists and is valid, acquiring the user identity identification and the user access token corresponding to the user identity identification, otherwise, creating the user identity identification and the user access token corresponding to the user identity identification, and sending the user identity identification and the user access token corresponding to the user identity identification to the user.

When a user needs to access the equipment, an identity authentication request can be sent to the equipment through a local area network where the equipment is located, the identity authentication request can carry user authentication information, and the user authentication information is information generated by user information returned by a server after the user sends a user information request to the server. Specifically, the user authentication information may be generated at the user side by:

in sub-step S11, a first random string is generated.

The user terminal may be a device and/or an application used by the user, and a random string may be generated at the user terminal, for example, the random string may be generated by a math.

And a substep S12, calculating the first random character string and the user access token by adopting a first preset abstract algorithm to obtain a user signature value.

In the embodiment of the present application, the first preset digest algorithm may be one of md5, sha1, hmacd 5, hmacosha 1, and hmacosha 256. The user access token is generated by calculating the user identity and the equipment key according to a preset digest algorithm after the server generates the user identity of the user. For example:

the device identification is Authcode: can be a random character string generated by the server side without secrecy.

Device key secret: the random character string generated by the server can be stored by the server and the equipment, and needs to be encrypted.

The identity encoded by the Authcode may be generated by the server, for example, accesssey ═ Authcode + seq + other encoded information. Seq may be a random string of fixed length.

The result signed by secret and accesskey is equivalent to the password corresponding to accesskey, and the result generated by the server needs to be encrypted, for example, the accessToken is a digest algorithm (secret), which may be one of md5, shal, hmamcd 5J hmamcshal, hmamcsha 256.

Therefore, the device identifier is Authcode and the device key secret are unique and occur in pairs, the server can generate corresponding user identity identifiers accesskey and user access tokens accessToken for different users, the device can authenticate the user identity without storing the user identity identifiers accesskey and the user access tokens accessToken, and specifically, the user side can calculate the first random character string and the user access token through a first preset digest algorithm to obtain a user signature value.

For example, assuming that the first random string is ra, the user access token is accessoken, the user signature value is sign, and the first digest algorithm is hamcmd5, then

sign＝hamcmd5(ra，accessToken)，

Of course, other summarization algorithms may also be used, and the first summarization algorithm is not limited in the embodiment of the present application.

And a substep S13, determining the user identification, the first random character string and the user signature value as the user authentication information.

After the user terminal generates the user signature value, the user id, the first random character string, and the user signature value may be used as user authentication information, and the user authentication information is included in the user id authentication request, for example, the user id accesskey, the first random character string ra, and the user signature value sign are included in the user id request and sent to the device.

And 104, authenticating the user by adopting the equipment authentication information and the user authentication information.

After receiving a user identity authentication request sent by a local area network user, the device may authenticate the user by using device authentication information and user authentication information, and specifically, step 104 may include the following substeps:

and a substep S21 of determining whether the user id is legal.

Whether the user identity is legal or not can be judged whether the user identity is matched with the equipment identity or not, or whether the user corresponding to the user identity is refused to access the equipment by an equipment manager or not. The user id may be a character string encoded according to a device id, for example, if the user id is accesskey and the device id is Authcode, then

accesskey is Authcode + seq + encoded information,

wherein, accesskey, Authcode and seq may be random character strings, and whether the user is the user of the device may be determined by the device identifier Authcode in the user identity identifier accesskey, so that whether the user identity identifier is legal may be determined by the device identifier, and sub-step S21 may specifically include the following sub-steps:

substep S211, checking whether the user identity exists in the revoke list, and/or checking whether the user identity matches the equipment identity.

The device manager can authorize the user to access the device through the local area network, and also can cancel the authority of the user to access the device through the local area network, namely, the user identity is added into the revoke list of the device, so that whether the user identity of the user exists in the revoke list or not can be checked, and if the user identity exists, the user identity is illegal; or checking whether the user identity is matched with the equipment identity, and if not, determining that the user identity is illegal.

And a substep S212, if the user identification does not exist in the revoke list and is matched with the equipment identification, determining that the user identification is legal.

If the user identification does not exist in the revocation list, the user identification is proved to be not cancelled by the equipment manager to access the equipment, and when the user identification is matched with the equipment identification, the user is proved to be the user of the equipment, and the user identification is determined to be legal.

For example, if the user identity accessey is not stored in the revocation list and the user identity accessey matches the device identity Authcode, then the user identity accessey is legitimate.

And a substep S213, determining that the user identity is illegal if the user identity exists in the revoke list or the user identity does not match the equipment identity.

And if the user identification exists in the revoke list, the user identification is proved to be cancelled by the equipment manager to access the equipment, or when the user identification is not matched with the equipment identification, the user identification is proved not to be illegal.

For example, if the user identity accessey is stored in the revocation list or the user identity accessey does not match the device identity Authcode, the user identity accessey is illegal.

And a substep S22, if the user identity is legal, calculating the user identity and the device key by using a second preset digest algorithm to generate a device access token, where the second preset digest algorithm is an algorithm for creating the user access token when the server receives the user information request sent by the user.

After the device receives the user identity, if the user identity is legal, the device access token may be generated, and specifically, the user identity and a locally stored device key may be calculated by using a second preset digest algorithm to generate the device access token.

For example, the device access token is accessTokenl, then

accesstkenl (summary algorithm), an abstract algorithm (secret),

the digest algorithm may be one of md5, sha1, hmacmd5, hmacsha1, and hmacsha256, and more specifically, the digest algorithm is an algorithm for creating the user access token when the server receives a user information request sent by the user.

And a substep S23, calculating the device access token and the first random character string by using the first preset digest algorithm to obtain a device signature value.

After the device generates the device access token, the device signature value may be calculated, and specifically, the device signature value may be obtained by calculating the first random character string in the device access token and the user authentication information by using a first preset digest algorithm for calculating the user signature value.

For example, if the device signature value is sign1 and the device access token is accesstokell, then

sign1＝hamcmd5(ra，accessToken1)，

The hamcmd5 is a first predetermined digest algorithm used for calculating the user signature value for the user terminal.

And a sub-step S24 of determining that the authentication is successful if the device signature value and the user signature value are identical.

In the embodiment of the application, a first preset digest algorithm is adopted at a user side to calculate a user access token and a first random character string to obtain a user signature value, a first preset digest algorithm is adopted at equipment to calculate an equipment access token and the first random character string to obtain an equipment signature value, and if the equipment signature value is consistent with the user signature value, the user identity authentication is successful, and the local area network user is allowed to access the equipment.

For example, when the device signature value sign1 is the user signature value sign, it indicates that the user is a user of the device, and the user is allowed to access the device.

In another embodiment of the present application, the method may further include the steps of:

and 105, emptying the revoke list when the device identification generated by the server push is received.

In the embodiment of the application, the server stores an revoke list of the equipment to record the user of which the access authority is cancelled by an equipment manager, the revoke list is provided with a preset length, when the server receives an access authority request of the equipment manager for cancelling the user, the user identity identification of the user is stored in the revoke list, when the length of the revoke list is larger than the preset length, the server empties the revoke list, generates a new equipment identification of the equipment, and sends the new equipment identification to the equipment, after the equipment receives the new equipment identification, the locally stored revoke list is emptied, and the situation that the user of which the access authority is cancelled can access the equipment again is avoided.

And 106, when the cancel list pushed by the server is received, replacing the locally stored cancel list with the received cancel list.

The server stores the user identity identification of the user in the revoke list, if the length of the revoke list is smaller than the preset length, the server generates a new revoke list and sends the new revoke list to the equipment, and the equipment replaces the locally stored old revoke list with the new revoke list, so that the equipment can authenticate the identity of the user according to the latest revoke list.

In the embodiment of the application, the device maintains the revoke list of the device at the server, the device synchronizes the revoke list from the server, the revoke list at the server side is provided with the preset length, when the preset length of the revoke list is greater than the preset length, the server generates a new device identifier, the device receives the new device identifier and then empties the revoke list stored locally, the revoke list does not need to be stored in advance by the device, and the device manager can cancel the access authority of the user when the device is offline.

Referring to fig. 2, a flowchart illustrating steps of an embodiment 2 of the device authentication method according to the present application is shown, where the device authentication method according to the embodiment of the present application may be applied to a server, and specifically may include the following steps:

step 201, receiving a device authentication information synchronization request sent by a device.

When the equipment is connected with the server and the equipment sends an equipment authentication information synchronization request to the server so as to synchronize the equipment authentication information, the server receives the equipment authentication information synchronization request sent by the equipment.

Step 202, obtaining the device authentication information of the device.

The equipment authentication information can comprise an equipment identifier, an equipment key and a revocation list, and the equipment identifier can be a random character string generated by the server and does not need to be encrypted; the device key may be a random string generated by the server and paired with the device identifier, the server and the device store the random string and need to be encrypted, the revocation list may be a list of users who have access permission cancelled, and the device may deny the users in the revocation list from accessing the device through a local area network where the device is located. In the embodiment of the present application, step 202 may include the following sub-steps:

sub-step S31, finding whether the device identification of the device exists.

After receiving the device authentication information synchronization request sent by the device, the server may first search whether the device identifier of the device exists, and if the device identifier of the device exists, perform substep S32, otherwise, perform substep S33.

And a substep S32, if the device identifier exists, obtaining the device identifier, the device key and the revocation list.

The device identifier and the device key appear in pairs unique to the device, if the server generates the device identifier for the device, the device key and the initialized revocation list are also generated for the device, and the server can directly acquire the device identifier, the device key and the revocation list of the device.

And a substep S33, if the device identity of the device does not exist, generating the device identity, the device key and the revocation list.

If the server has not generated the device identifier for the device, a random string may be generated as the device identifier of the device, and another random string may be generated as the device key of the device, and an overhead list may be generated and a preset length of the overhead list may be set, for example, the preset length of the overhead list may be set according to the storage capacity of the device.

Step 203, sending the device authentication information to the device.

After obtaining the equipment identifier, the equipment key and the revoke list, the server takes the equipment identifier, the equipment key and the revoke list as equipment authentication information and sends the equipment authentication information to the equipment.

And step 204, when a request for adding the user is received, the device is added to the device access list of the user.

The method comprises the steps that an equipment manager can input user information through a management page and send a request for adding a user to the equipment to a server, or the equipment manager can share a two-dimensional code through display, when other users scan the shared two-dimensional code, the request for adding the user to the equipment is sent to the server, when the server receives the request for adding the user, the equipment is added to an equipment access list of the user, the equipment in the equipment access list is equipment which can be accessed by the user through a local area network, and meanwhile, the server can generate user information such as a user identity mark and a user access token for the user.

Step 205, when receiving a user information request for the device sent by a user, obtaining user information of the user.

In the embodiment of the application, when a user needs to access the device through the local area network, the user information request is sent to the server, the user side can generate user authentication information according to the user information request, and then identity authentication can be performed on the device by adopting the user authentication information.

In a preferred embodiment of the present application, the user information may include a user identity and a user access token, and step 205 may include the following sub-steps:

and a substep S41, if the user identity of the user exists, acquiring the user identity and a corresponding user access token when the user identity matches the device label.

In the embodiment of the application, when the device manager adds the user to the device, the server can generate the user identity and the user access token for the user, so that the user can access the device after the device passes the authentication through the user identity and the user access token.

For example, the user identity is accesskey, which may be encoded by a device identity Authcode, or may be generated by a server, specifically, accesskey is Authcode + seq + other encoded information. Seq may be a random string of fixed length.

For another example, the user access token is accessoken, which may be signed by a device key secret and a user identity, and is generated by the server and needs to be encrypted, which is equivalent to a password corresponding to the user identity, and specifically, the accessoken is a digest algorithm (secret), which may be one of md5, shal, hmacmd5J hmarcsha, hmarcsha 256.

After receiving the user information request, the server may search whether the user identity of the user exists, if so, determine whether the user identity of the user matches with the device identity of the device that the user requires to access, if so, obtain the user identity and the corresponding user access token thereof, specifically, whether the user identity accesskey is encoded by the device identity Authcode, if so, the user identity matches with the device identity of the device that the user requires to access, otherwise, the user identity is not matched.

And a substep S42, if the user identity of the user does not exist or the user identity does not match the device identity, creating the user identity and generating a user access token by using a preset digest algorithm.

If no user identity exists or the user identity does not match the device identity, then a user identity and its corresponding user access token are created, in particular, sub-step S42 may comprise the following sub-steps:

in sub-step S421, a second random string is generated.

A device may have a plurality of users, and in order to distinguish the users, the server may generate a unique second random string for the users, and specifically, the second random string may be generated by a math.

Substep S422, encoding the device identifier and the second random string to obtain the user identity.

The device identifier is a random character string, the device identifier and the second random character string can be encoded, and the encoding result is used as the user identity identifier.

For example, if the device identifier is Authcode, the second random string is seq, and the user identifier is accesskey, then:

accessskey of Authcode + seq + encoded information

Whether the user is the user of the device can be determined by the aid of the device identifier Authcode in the user identity identifier accesskey, and the user of the device can be distinguished by the aid of the second random character string in the user identity identifier accesskey as seq.

And a substep S423, calculating the user identity and the device key by using a preset digest algorithm to obtain the user access token.

The user identity and the user access token are generated in pairs, and the user identity and the equipment key can be calculated to obtain the user access token.

For example, if the user access token is accessoken, the user identity is accesskey, and the device key is secret, then

accesstken (summary algorithm),

the abstract algorithm can be one of md5, sha1, hmacd 5, hmacosha 1 and hmacosha 256.

Through the substeps S421-S423, the server can create the user identity and the user access token for the user of the device, without storing the user information in advance in the device, thereby not only adding a new user to the device when the device is offline, but also avoiding the problems that the number of the device users is low and the new user cannot be added due to limited storage capacity of the device, and adding the user to the device without limitation.

Step 206, sending the user information to the user, where the user is used to generate user authentication information according to the user information, and the device is used to authenticate the user according to the device authentication information and the user authentication information.

After the server obtains the user identity identifier and the user access token, the user identity identifier and the user access token can be sent to the user as user information, the user side generates user authentication information according to the user information, the user includes the user authentication information in an identity authentication request and sends the user authentication information to the equipment, and the equipment can authenticate the user by adopting the equipment authentication information and the user authentication information.

In the embodiment of the application, the server can add the equipment to the equipment access list of the user when receiving the request of adding the user sent by the equipment manager, acquire the user information of the user and send the user information to the user when receiving the user information request sent by the user, so that the user can be added under the condition of offline equipment, the problem that the user cannot be added when the user is offline is avoided, the problems that the number of the equipment users is low and the users cannot be added due to limited storage capacity of the equipment are also avoided, and the users can be added to the equipment without limit.

In another embodiment of the present application, the device access method may further include:

step 207, when receiving the request for canceling the user sent by the device manager, deleting the device from the device access list of the user.

The device manager may add a user to the device or cancel a user from the device, and when receiving a request for canceling the user from the device management page sent by the device manager, the server may delete the device from the device access list of the user.

Step 208, adding the user identity of the user to a preset revoke list.

After receiving a user request for canceling the device sent by a device manager, a server needs to maintain not only a device access list of the user but also an revoke list of the device, and add the cancelled user to the revoke list of the device, in this embodiment of the present application, the user id accesskey includes a device id Authcode and a second random character string seq, and then the user id accesskey may be added to the revoke list, preferably, the second random character string seq included in the user id accesskey may be added to the revoke list, compared with adding the entire user id to the revoke list, only the second random character string seq included in the user id accesskey may be added to the revoke list, and the length of the revoke list may be reduced, so that the revoke list may store more users with access rights cancelled, and the revoke list is stored in the server, the equipment can acquire the revoke list only by sending a synchronization request to the server, and the revoke list does not need to be stored in the equipment in advance.

And 209, if the length of the suspension pin list is smaller than a preset value, sending the suspension pin list to the equipment, wherein the equipment is used for replacing the suspension pin list stored locally according to the received suspension pin list.

In the embodiment of the application, the revoke list can be set to have a maximum storage length, that is, a preset length, and after the user identification of the user who cancels the access right is stored in the revoke list, if the length of the revoke list is smaller than the preset length, the revoke list after the user identification is added is sent to the equipment, so that the equipment can perform identity authentication on the user according to the latest revoke list.

And 210, emptying the suspension pin list if the length of the suspension pin list is greater than or equal to a preset value.

If the length of the lift pin list is greater than or equal to the preset length, the server may empty the lift pin list and perform step 211.

In step 211, the device identification is regenerated.

The method comprises the steps that the server clears an overhead list, in order to avoid that a user with cancelled access authority accesses the equipment again, the server generates a new equipment identifier for the equipment, and generates a new user identity identifier, a user access token and the like for the user with the access authority according to the new equipment identifier, so that the user with the new user identity identifier and the user access token can access the equipment.

Step 212, sending the regenerated device identifier to the device, and when receiving the regenerated device identifier, the device emptying the locally stored revoke list.

The server generates a new equipment identifier, sends the new equipment identifier to the equipment, and stores the new equipment identifier and clears a locally stored revocation list after the equipment receives the new equipment identifier, so that the equipment can adopt the new equipment identifier to authenticate the user when authenticating the user.

In order to make the device access method of the present application more clearly understood by those skilled in the art, the following description is made by way of example with reference to the accompanying drawings, and fig. 3 is a flow chart of the interaction of the device access method, where the flow chart includes the following steps:

s1, the equipment sends Authcode and revoke list synchronization request to the server;

s2, after the server receives the synchronization request, if the Authcode exists, the Authcode, the device key secret and the revoke list are obtained, if the Authcode does not exist, the Authcode, the device key secret and the revoke list are generated, and the Authcode, the device key secret and the revoke list are returned to the device;

s3, the device saves the device identification Authcode, the device key secret, and the revocation list, and encrypts the device key secret.

S4, the device manager adds users by displaying two-dimensional codes or directly adding user accounts;

s5, the device manager sends an add user request to the server;

s6, the server adds the device to the device access list of the user after receiving the add user request sent by the device manager.

S7, the user sends the user information request of the access device to the server;

s8, the server searches whether a user identity identifier accesskey exists and judges whether the user identity identifier accesskey matches with the equipment identifier Authcode, if the user identity identifier accesskey exists and matches with the equipment identifier Authcode, the user identity identifier accesskey and the user access token accessToken are obtained, otherwise, the user identity identifier accesskey and the user access token accessToken are created;

s9, the server returns the user identity accesskey and the user access token accessToken to the user;

s10, the user side receives and stores the user identity identifier accesskey and the user access token accessToken;

s11, the user side generates a random character string ra, and calculates a user signature value sign by adopting the random character string ra and a user access token accessToken;

s12, the user side sends the user identity identifier accesskey, the random character string ra and the user signature value sign to the equipment;

s13, the equipment judges whether the user identity accesskey is revoked, if so, the authentication fails, and if not, S14 is executed;

s14, the equipment judges whether the user identity accesskey is matched with the equipment identity Authcode, if so, the step S15 is executed, and if not, the authentication fails;

s15, calculating a device access token accessoken 1, and calculating a device signature value sign1 by using the device access token accessoken 1 and the random string ra;

s16, comparing whether the user signature value sign is consistent with the equipment signature value sign1, if so, successfully authenticating, otherwise, failing to authenticate;

s17, the device sends the authentication result to the user;

s18, the user accesses the device after the authentication is successful;

s19, the device manager sends a cancel user request to the server;

s20, the server deletes the device from the user' S device access list

S21, the server adds the user information of the user to the revoke list of the equipment;

s22, if the length of the revoke list is larger than or equal to the preset length, the server generates a new equipment identifier Authcode, and empties the revoke list, and then step S23 is executed;

s23, the server sends a new equipment identification Authcode to the equipment;

s24, after the equipment receives the new equipment identification Authcode, updating the equipment identification Authcode stored locally by the equipment, and emptying the locally stored overhead list;

s25, if the length of the suspension pin list is less than the preset length, the server sends a new suspension pin list to the equipment;

s26, the equipment receives the new suspension pin list and replaces the old suspension pin list.

In the example of the application, after the device synchronizes the device authentication information, the device authentication information and the user authentication information are adopted to authenticate the user, if the authentication is successful, the device receives the access of the local area network user, the problem of security holes caused by the fact that the identity authentication is not carried out on the local area network user can be avoided, and the identity authentication of the device on the local area network access user and the security sharing of the internet of things device are realized.

In the example of the application, the device manager can directly add and cancel the access right of the user to the server for the device, and the device manager can add and cancel the access right of the user for the device when the device is offline, so that the problem that the user cannot be added newly due to limited storage capacity of the device when the user is added newly to the device is solved, and the user can be added to the device without limitation at the server.

In the example of the application, the server maintains the revoke list of the equipment, and after receiving a request of an equipment manager for canceling the user, the server adds the user identity identifier to the revoke list, so that the equipment manager can cancel the authority of the user for accessing the equipment conveniently.

Referring to fig. 4, a flowchart of steps of an embodiment of a device access method according to the present application is shown, where the device access method according to the embodiment of the present application may be applied to a device side, and specifically may include the following steps:

step 301, when receiving an access request sent by a user, authenticating the user.

In this embodiment, the device may be an internet of things device, and the internet of things device may include a sensor device, for example, a radio frequency identification device, an infrared sensor, an environmental sensor, a global positioning system, a PDA handheld terminal, an RFID reader, and the like.

In the embodiment of the application, the user can access the device through the local area network, and in order to ensure the access security, the device needs to authenticate the user when receiving the access of the local area network user.

Specifically, step 301 may include the following sub-steps:

substep S51, sending a device authentication information synchronization request to the server;

substep S52, receiving the device authentication information returned by the server;

substep S53, receiving an identity authentication request sent by a user, where the identity authentication request includes user authentication information, and the user authentication information is information generated by user information returned by the server after the user sends a user information request to the server;

and a substep S54 of authenticating the user using the device authentication information and the user authentication information.

The substep S51-substep S54 may refer to the method of device authentication of embodiment 1 and will not be described in detail herein.

After the device receives the identity authentication request of the user and the authentication is successful, the device allows the user to control the device, for example, read data collected by the device.

Step 302, if the authentication is successful, the access of the user is accepted.

After the device receives the identity authentication request of the user and the authentication is successful, the device accepts the access of the user, and allows the user to control the device, for example, read data collected by the device.

In the embodiment of the application, after the equipment synchronizes the equipment authentication information, the equipment authentication information and the user authentication information are adopted to authenticate the user, if the authentication is successful, the equipment receives the access of the local area network user, the problem of security holes caused by the fact that the local area network user does not perform identity authentication can be avoided, and the identity authentication of the local area network access user and the security sharing of the Internet of things equipment by the equipment are realized.

Referring to fig. 5, a block diagram of a device authentication apparatus in embodiment 1 of the present application is shown, and the device authentication apparatus in the embodiment of the present application includes:

a synchronization request sending module 401, configured to send a device authentication information synchronization request to a server;

a device authentication information receiving module 402, configured to receive device authentication information returned by the server;

an identity authentication request receiving module 403, configured to receive an identity authentication request sent by a user, where the identity authentication request includes user authentication information, and the user authentication information is information generated by receiving user information returned by the server after the user sends a user information request to the server;

an authentication module 404, configured to authenticate the user by using the device authentication information and the user authentication information;

Optionally, the method further comprises:

the encryption module is used for encrypting the equipment secret key;

Optionally, the authentication module 404 includes:

Optionally, the legality determining sub-module includes:

and/or

Optionally, the apparatus further comprises:

Referring to fig. 6, a block diagram of a device authentication apparatus in embodiment 2 of the present application is shown, and the device authentication apparatus in the embodiment of the present application includes:

a synchronization request receiving module 501, configured to receive a device authentication information synchronization request sent by a device;

an apparatus authentication information obtaining module 502, configured to obtain apparatus authentication information of the apparatus;

a device authentication information sending module 503, configured to send the device authentication information to the device;

an add device module 504, configured to add a device to a device access list of a user when receiving a request for adding the user sent by a device manager;

a user information obtaining module 505, configured to obtain user information of a user when a user information request for the device sent by the user is received;

a user information sending module 506, configured to send the user information to the user, where the user is configured to generate user authentication information according to the user information, and the device is configured to authenticate the user according to the device authentication information and the user authentication information.

Optionally, the device authentication information includes a device identifier, a device key, and an expense list, and the device authentication information obtaining module 502 includes:

Optionally, the user information includes a user identity and a user access token, and the user information obtaining module 505 includes:

Optionally, the user information creating sub-module includes:

Optionally, the apparatus further comprises:

Referring to fig. 7, a block diagram of a device access apparatus according to an embodiment of the present application is shown, where the device access apparatus according to the embodiment of the present application includes:

an authentication module 601, configured to authenticate a user when receiving an access request sent by the user;

an access accepting module 602, configured to accept access of the user if the authentication is successful;

wherein the authentication module 601 comprises:

An embodiment of the present application further provides an apparatus, including: one or more processors; and one or more machine readable media having instructions stored thereon that, when executed by the one or more processors, cause the apparatus to perform one or more of the methods of example 1 and/or example 2 and/or example 3.

Embodiments of the application also provide one or more machine-readable media having instructions stored thereon, which when executed by one or more processors, cause an apparatus to perform one or more of the methods described in embodiment 1 and/or embodiment 2 and/or embodiment 3.

For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.

The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.

As will be appreciated by one of skill in the art, embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the true scope of the embodiments of the application.

Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.

The above detailed description is made on an apparatus authentication method, an apparatus access method, an apparatus authentication device, and an apparatus access device provided by the present application, and specific examples are applied in the present application to explain the principles and embodiments of the present application, and the descriptions of the above embodiments are only used to help understand the method and the core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims

1. A method of device authentication, the method comprising:

receiving equipment authentication information returned by the server;

2. The method of claim 1, wherein the device authentication information comprises a device identification, a device key, and an affiliation list.

3. The method of claim 2, wherein after the step of receiving the device authentication information returned by the server, further comprising:

encrypting the device key;

4. The method of claim 3, wherein the user information comprises a user identity and a user access token, the user authentication information being generated by:

generating a first random string;

5. The method of claim 4, wherein the step of authenticating the user using the device authentication information and the user authentication information comprises:

judging whether the user identity is legal or not;

6. The method of claim 5, wherein the step of checking whether the user identity is legitimate comprises:

7. The method of any one of claims 1-6, further comprising:

8. A method of device authentication, the method comprising:

acquiring equipment authentication information of the equipment;

sending the device authentication information to the device;

9. The method of claim 8, wherein the device authentication information includes a device identification, a device key, and a revocation list, and wherein the step of obtaining the device authentication information for the device comprises:

searching whether the equipment identification of the equipment exists;

10. The method of claim 9, wherein the user information includes a user identity and a user access token, and wherein the step of obtaining the user information of the user comprises:

11. The method of claim 10, wherein the steps of creating the user identity and generating a user access token using a preset digest algorithm comprise:

generating a second random string;

12. The method of any one of claims 8-11, further comprising:

adding a user identity of a user into a preset revoke list;

regenerating the device identification;

13. The method of claim 12, wherein the user id comprises a device id, the second random string, and wherein the step of adding the user id of the user to a predetermined revocation list comprises:

adding the user identity or a second random string to the revocation list.

14. A method for device access, the method comprising:

when an access request sent by a user is received, authenticating the user;

if the authentication is successful, accepting the access of the user;

wherein authenticating the user comprises:

receiving equipment authentication information returned by the server;

15. An apparatus for device authentication, the apparatus comprising:

16. The apparatus of claim 15, wherein the device authentication information comprises a device identification, a device key, and an affiliation list.

17. The apparatus of claim 16, further comprising:

the encryption module is used for encrypting the equipment secret key;

18. The apparatus of claim 17, wherein the user information comprises a user identity and a user access token, the user authentication information generated by:

19. The apparatus of claim 18, wherein the authentication module comprises:

20. The apparatus of claim 19, wherein the legitimacy determination submodule comprises:

and/or

21. The apparatus of any one of claims 15-20, further comprising:

22. An apparatus for device authentication, the apparatus comprising:

23. The apparatus of claim 22, wherein the device authentication information comprises a device identification, a device key, and a revocation list, and wherein the device authentication information obtaining module comprises:

24. The apparatus of claim 23, wherein the user information comprises a user identity and a user access token, the user information acquisition module comprising:

25. The apparatus of claim 24, wherein the user information creation sub-module comprises:

26. The apparatus of any one of claims 22-25, wherein the apparatus further comprises:

27. The apparatus of claim 26, wherein the user identification comprises a device identification, the second random string, and wherein the revocation list addition module comprises:

28. An apparatus for accessing a device, the apparatus comprising:

wherein the authentication module comprises:

29. An apparatus, comprising: one or more processors; and one or more machine readable media having instructions stored thereon that, when executed by the one or more processors, cause the apparatus to perform the method of one or more of claims 1-7 and/or 8-13 and/or 14.

30. One or more machine-readable media having instructions stored thereon, which when executed by one or more processors, cause an apparatus to perform one or more methods of claims 1-7 and/or 8-13 and/or 14.