CN111970306B - Authority authentication method, server, client and storage medium - Google Patents
Authority authentication method, server, client and storage medium Download PDFInfo
- Publication number
- CN111970306B CN111970306B CN202010896227.4A CN202010896227A CN111970306B CN 111970306 B CN111970306 B CN 111970306B CN 202010896227 A CN202010896227 A CN 202010896227A CN 111970306 B CN111970306 B CN 111970306B
- Authority
- CN
- China
- Prior art keywords
- client
- certificate
- equipment
- authority
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the application discloses a permission authentication method, a server, a client and a storage medium, wherein the method applied to the server comprises the following steps: generating a first certificate for granting a control device authority to a second client in response to receiving a first request for sharing the device to the second client, wherein the first request is sent by a first client; the first client side has the authority to control the equipment; and sending a first certificate to the second client, wherein the first certificate is used for requesting the authority authentication from the second client to the equipment.
Description
Technical Field
The embodiment of the application relates to the technical field of communication, in particular to a permission authentication method, a server, a client and a storage medium.
Background
With the rapid development of communication technology, people have higher and higher requirements on network and data security, and authority authentication is also more and more important in the communication field.
At present, in a scene of device sharing, if a device receives a sharing instruction, a corresponding temporary password needs to be generated, so that a shared party can use the temporary password to perform authority authentication and log in the device. In the whole process, the equipment needs to be communicated with the server or the client, so that the equipment needs to be in an online state to receive the command, and the flexibility of authority authentication is low.
Disclosure of Invention
The embodiment of the application provides an authority authentication method, a server, a client and a storage medium, and flexibility of authority authentication is improved.
The technical scheme of the embodiment of the application is realized as follows:
the embodiment of the application provides a permission authentication method, which is applied to a server and comprises the following steps:
in response to receiving a first request sent by a first client and used for sharing equipment to a second client, generating a first certificate for granting control over the equipment permission to the second client; the first client side has the authority to control the equipment;
and sending the first certificate to the second client, wherein the first certificate is used for requesting authority authentication from the second client to the equipment.
In the above method, before the generating of the first certificate granting the right to control the device to the second client, the method further includes:
associating the first client with the device;
generating a second certificate granting the first client with authority to control the device, and verification information; the verification information is used for verifying the legality of the received certificate by the equipment;
and sending the second certificate to the first client, and sending the verification information to the equipment.
In the above method, the associating the first client with the device includes:
in response to receiving a second request sent by the first client to establish an association with the device, checking feasibility of establishing the association of the first client with the device;
if the checking result is feasible, sending a response to the first client, wherein the response allows the first client to establish the association with the equipment;
and receiving an association request sent by the equipment based on the association establishing parameter, and associating the first client with the equipment according to the association request.
In the above method, the first certificate and/or the second certificate contain an authority start-stop time for controlling the authority of the device.
The embodiment of the application provides a permission authentication method, which is applied to a first client side and comprises the following steps:
acquiring a control authority of the equipment;
sending a first request for sharing the equipment to a second client to a server; the first request is used for requesting the server to generate a first certificate for granting the second client the right to control the equipment; the first certificate is used for the second client to request permission authentication from the equipment.
In the above method, the obtaining of the control right for the device includes:
sending a second request to the server to establish an association with the device;
when a response that the server allows the first client to establish the association with the device is received, sending association establishment parameters to the device; the association establishing parameter is used for the first client to establish association with the equipment;
receiving a second certificate sent by the server to obtain a control authority of the equipment; the second certificate is a certificate which is used for granting the first client side with the authority to control the equipment by the server.
The embodiment of the application provides a permission authentication method, which is applied to a client and comprises the following steps:
when receiving a permission certificate sent by a server, sending the permission certificate to equipment; the authority certificate is a certificate which grants the authority of controlling the equipment to the client;
when receiving a message that the authority certificate sent by the device passes verification, determining that the authority certificate of the device has passed authentication.
In the above method, before the sending the permission certificate to the device, the method further includes:
establishing a secure channel with the device; the secure channel is a channel for sending the authority certificate to the device and receiving a message that the authority certificate passes the verification.
In the above method, the permission certificate includes a permission start-stop time, and after the determination has passed the permission authentication of the device, the method further includes:
and controlling the equipment within the permission start-stop time.
An embodiment of the present application provides a server, including: a certificate generation module and a first communication module;
the certificate generation module is used for responding to a first request sent by a first client and used for sharing equipment to a second client, and the first communication module generates a first certificate for granting the equipment authority to the second client; the first client side has the authority to control the equipment;
the first communication module is used for sending a first certificate to the second client; the first certificate is used for the second client to request permission authentication from the equipment.
The embodiment of the application provides a server, which comprises a first processor, a first memory and a first communication bus;
the first communication bus is used for realizing communication connection between the first processor and the first memory;
the first processor is configured to execute the first authentication program stored in the first memory to implement the above-mentioned right authentication method applied to the server.
An embodiment of the present application provides a first client, including:
a permission acquisition module for acquiring control permission of the device
The second communication module is used for sending a first request for sharing the equipment to a second client to the server; the first request is used for requesting the server to generate a first certificate for granting the authority of controlling the terminal to the second client; the first certificate is used for the second client to request permission authentication from the equipment.
The embodiment of the application provides a first client, which comprises a second processor, a second memory and a second communication bus;
the second communication bus is used for realizing communication connection between the second processor and the second memory;
the second processor is configured to execute a second authentication program stored in the second memory to implement the above-mentioned right authentication method applied to the first client.
An embodiment of the present application provides a client, including:
the third communication module is used for sending the authority certificate to the equipment when receiving the authority certificate sent by the server; the authority certificate is a certificate which grants the authority of controlling the equipment to the client;
and the authority determining module is used for determining that the authority certificate of the equipment passes the authority authentication when the third communication module receives the message that the authority certificate sent by the equipment passes the verification.
The embodiment of the application provides a client, which comprises a third processor, a third memory and a third communication bus;
the third communication bus is used for realizing communication connection between the third processor and the third memory;
the third processor is configured to execute a third authentication program stored in the third memory, so as to implement the above-mentioned right authentication method applied to the client.
An embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the above-mentioned method for right authentication.
The embodiment of the application provides an authority authentication method, a server, a client and a storage medium, wherein the method applied to the server comprises the following steps: generating a first certificate for granting a control device authority to a second client in response to receiving a first request, sent by a first client, for sharing the device to the second client; the first client side has the authority to control the equipment; and sending a first certificate to the second client, wherein the first certificate is used for requesting the authority authentication from the second client to the equipment. According to the technical scheme, the first client can share the controlled equipment with the second client through the server, the server can provide the certificate for controlling the equipment permission for the second client, the equipment can directly verify the certificate to realize permission authentication of the second client, and the equipment is not communicated with the server or the first client, so that the flexibility of permission authentication is improved.
Drawings
Fig. 1 is a first flowchart illustrating a method for authenticating a right according to an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating a second method for right authentication according to an embodiment of the present disclosure;
fig. 3 is a first schematic diagram illustrating an interaction between an exemplary server and a client according to an embodiment of the present application;
fig. 4 is a schematic diagram of an exemplary interaction between a server and a client according to an embodiment of the present application;
fig. 5 is a third flowchart illustrating a method for authenticating a right according to an embodiment of the present application;
fig. 6 is a schematic diagram of an exemplary interaction between a server and a client provided in an embodiment of the present application;
fig. 7 is a first schematic structural diagram of a server according to an embodiment of the present disclosure;
fig. 8 is a schematic structural diagram of a server according to an embodiment of the present application;
fig. 9 is a first schematic structural diagram of a first client according to an embodiment of the present disclosure;
fig. 10 is a schematic structural diagram of a first client according to an embodiment of the present application;
fig. 11 is a first schematic structural diagram of a second client according to an embodiment of the present disclosure;
fig. 12 is a schematic structural diagram of a second client according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad application.
The embodiment of the application provides a permission authentication method which is applied to a server. The server may be a cloud server, and the specific server is not limited in this embodiment of the application. Fig. 1 is a first flowchart illustrating a method for authenticating a right according to an embodiment of the present application. As shown in fig. 1, the method of authority authentication mainly includes the following steps:
s101, in response to receiving a first request, sent by a first client, for sharing equipment to a second client, generating a first certificate for granting the second client control equipment authority; the first client has the right to control the device.
In an embodiment of the application, a server may generate a first certificate granting a device control authority to a second client in response to receiving a first request sent by a first client, where the first request is a request message for sharing a device to the second client.
It should be noted that, in the embodiment of the present application, the first client already has the right to control the device. Specific first client and device embodiments of the present application are not limited.
For example, in an embodiment of the present application, the first certificate generated by the server may be a certificate encrypted by using a preset private key, and correspondingly, the verification information included in the device may be a preset public key corresponding to the preset private key.
It should be noted that, in the embodiment of the present application, the server may generate the first certificate in the predefined format, and the certificate information of the first certificate is that the second client may control the device, that is, the right to control the device is granted to the second device.
Illustratively, in the embodiments of the present application, the first certificate is composed of a signature method of the digital certificate, a basic purpose of the digital certificate, a length of a signature part of the digital certificate, a detailed description of the certificate, and a signature. The basic use part of the digital certificate, the corresponding identifiers of different uses are shown in table 1:
TABLE 1
| 0x01 | Retention uses |
| 0x02 | Granting the certificate subject the right to actively control other devices |
| 0x04 | Granting certificate subject rights to repudiate control to other devices |
In addition, the certificate detailed description section may adopt an encoding format including information content, information type, and information content length. Specifically, the information types include the types shown in table 2 below:
TABLE 2
In the embodiment of the present application, the fields shown in table 2 can record the client of the control device and the device linkage, and can set the permission start/stop time for the permission of the control device.
It should be noted that the above is only an exemplary format of the first certificate, and a specific format of the first certificate may be selected according to actual needs and application scenarios, and the embodiment of the present application is not limited.
S102, sending a first certificate to a second client; the first certificate is used for requesting authority authentication from the device by the second client.
In an embodiment of the present application, after generating a first certificate granting the second client the right to control the device, the server may send the first certificate to the second client, where the first certificate is used for the second client to request the right authentication from the device.
It can be understood that, in the embodiment of the present application, the first client having the authority to control the device shares the device with the second client, without direct participation of the device. And the equipment can contain check information used for checking the validity of the received certificate, so that the server sends the first certificate to the second client, the second client can request the equipment to perform authority authentication by using the first certificate, and the equipment performs validity verification on the first certificate by using the check information, thereby directly realizing authority authentication under the condition of successful verification and avoiding the need of storing other information for verifying identity.
The embodiment of the application provides a permission authentication method which is applied to a first client. Fig. 2 is a flowchart illustrating a second method for right authentication according to an embodiment of the present application. As shown in fig. 2, in an embodiment of the present application, a method for authenticating a right includes the following steps:
s201, acquiring control authority of the equipment.
In an embodiment of the present application, the first client may first obtain a control right for the device.
It can be understood that, in the embodiment of the present application, the premise that the first client shares the device to the second client is: the first client has control authority over the device. Therefore, the first client needs to acquire the control authority of the device first.
It should be noted that, in the embodiment of the present application, a manner in which the first client obtains the control authority for the device will be described in detail later.
S202, sending a first request for sharing the equipment to a second client to a server; the first request is used for requesting the server to generate a first certificate for granting the control equipment authority to the second client; the first certificate is used for requesting authority authentication from the device by the second client.
In the embodiment of the application, the first client can send a first request for sharing the device with the second client to the server under the condition that the first client obtains the control authority of the device.
It can be understood that, in the embodiment of the present application, the first client sends the first request to the server, and accordingly, the server may perform the above steps S101 and S102, so as to send the first certificate to the second client, and the second client may then request the device for authorization authentication by using the first certificate, so as to obtain the control authorization for the device.
Fig. 3 is a schematic diagram illustrating an interaction between an exemplary server and a client according to an embodiment of the present disclosure. As shown in fig. 3, a first client has a permission to control a device, the first client may send a first request for sharing the device with a second client to a server, so that the server generates a first certificate, certificate information of the first certificate is a permission granted to the second client for controlling the device, and then the server may send the first certificate to the second client, and the second client may initiate permission authentication to the device by using the first certificate, thereby implementing control on the device when the authentication passes.
It can be understood that, in the embodiment of the present application, before sharing the device to the second client, the first client needs to obtain the right to control the device, as described in step S201, and the device needs to obtain verification information, for example, a public key, for verifying the validity of different certificates, which is described in detail below.
In the embodiment of the present application, step S201: the method for acquiring the control authority of the device by the first client specifically comprises the following steps: sending a second request for establishing association with the equipment to the server; when a response that the server allows the first client to establish the association with the equipment is received, sending association establishment parameters to the equipment; the association establishing parameter is used for establishing association between the first client and the equipment; receiving a second certificate sent by the server to obtain a control authority of the equipment; the second certificate is a certificate which is used for granting the authority of the control device to the first client side by the server.
It can be understood that, in the embodiment of the present application, the first client may send the association establishment parameter to the device when the request sent to the server to establish an association with the device is allowed, so that the device may initiate the association request to the server based on the association establishment parameter, and establish the association with the first client through the server, that is, implement the association between the first client and the device.
It should be noted that, in the embodiment of the present application, when the first client implements association with the device through the server, the server may generate a second certificate granting the first client with the authority to control the device, and send the second certificate to the first client, so that the first client obtains the authority to control the device when receiving the second certificate.
The above-described procedure is a procedure performed by the first client, and the following describes the server-side execution procedure in detail.
In an embodiment of the present application, before generating the first certificate, the server further includes the following steps: associating a first client with a device; generating a second certificate for granting the control equipment authority to the first client side and verification information; the verification information is used for verifying the legality of the received certificate by the equipment; and sending the second certificate to the first client and sending verification information to the equipment.
Specifically, in an embodiment of the present application, associating, by a server, a first client with a device includes: in response to receiving a second request sent by the first client to establish the association with the device, checking feasibility of establishing the association of the first client with the device; if the checking result is feasible, sending a response to the first client, wherein the response allows the first client to establish the association with the equipment; and receiving an association request sent by the equipment based on the association establishing parameter, and associating the first client with the equipment according to the association request.
It may be understood that, in the embodiment of the present application, in the step S201 described above, the first client may send the second request to the server, and accordingly, the server may check whether the first client may be associated with the device in a case that the second request is received, so as to send a corresponding response to the first client in a case that the second request is possible, so as to trigger the first client to send the association establishment parameter to the device in the step S201, and the device may initiate an association request to the server based on the parameter after receiving the association establishment parameter, so that the server may associate the first client with the device, that is, may record the binding relationship between the first client and the device.
It should be noted that, in the embodiment of the present application, when associating the first client with the device, the server may generate the second certificate granting the right to control the device to the first client, and send the second certificate to the first client. In addition, the server can also generate verification information and send the verification information to the equipment, so that the first client can directly send the second certificate to the equipment under the condition that the equipment needs to be controlled, and the equipment can directly utilize the verification information to verify the legality of the certificate without intervention of the server.
It should be noted that, in the embodiment of the present application, the second certificate sent by the server to the first client is the same as the format of the first certificate, and the difference is that the certificate information is an authority that the first client can control the device, that is, the first device is granted with a device control function, and of course, other information in the certificate, for example, the authority start-stop time may be set according to actual needs or application scenarios.
Fig. 4 is a schematic diagram of an exemplary interaction between a server and a client according to an embodiment of the present application. As shown in fig. 4, in the embodiment of the present application, the first client sends a second request for establishing an association with the device to the server, the server checks the feasibility of the server, and sends a response to the first client to allow the establishment of the association if possible, the first client can send an association establishment parameter to the device, the device can request the server to establish the association with the first client based on the association establishment parameter, the server sends the generated second certificate to the first client after recording the association between the first client and the device, and sends the verification information to the device. The second certificate may be an authorization certificate encrypted by using a preset private key, and the verification information may be a preset public key matched with the preset private key.
It should be noted that, in the embodiment of the present application, the first client and the second client may be deployed in the same hardware device. Moreover, the first client and the second client may log in clients under different user accounts for the same client, that is, a certain client may serve as the first client when logging in the first user account, and may serve as the second client when logging in the second user account, where the first user account and the second user account are two different client user accounts. Therefore, the first client shares the device with the second client, which may be a client that logs in by using a certain user account, and shares the control authority of the device with the client that logs in by using another user account.
The embodiment of the application provides a permission authentication method which is applied to a client. Fig. 5 is a third flowchart illustrating a method for authenticating a right according to an embodiment of the present application. As shown in fig. 5, in an embodiment of the present application, a method for authenticating a right includes the following steps:
s501, when receiving the authority certificate sent by the server, sending the authority certificate to the equipment; the authority certificate is a certificate for granting the authority of the control device to the client.
In the embodiment of the application, the client can send the certificate to the device when receiving the certificate which is sent by the server and grants the authority of the control device to the client, so as to request the device to verify the legality of the certificate.
It should be noted that, in an embodiment of the present application, the client may be the first client or the second client, and correspondingly, the authority certificate may be the first certificate or the second certificate. In addition, the client may also be any other client, and the received authority certificate is a certificate to which the server grants the authority to control the device. The specific client and the embodiments of the application for the certificate book are not limited.
It can be understood that, in the embodiment of the present application, the authority certificate is a certificate that grants the control device authority to the client, and therefore, the client can send the authority certificate to the device, so that the device performs validity verification to obtain the control authority to the device.
It should be noted that, in the embodiment of the present application, before sending the authority certificate to the device, the client may further perform the following steps: establishing a safety channel with the equipment; the secure channel is a channel for transmitting the authority certificate to the device and receiving a message that the authority certificate passes the verification.
It can be understood that, in the embodiment of the present application, before sending the permission certificate to the device, the client may establish a secure channel with the device, and accordingly, the client may send the permission certificate to the device through the secure channel, thereby ensuring the security of information transceiving.
S502, when the message that the authority certificate sent by the device passes the verification is received, the authority certificate of the device is determined to pass.
In the embodiment of the application, when receiving a message that the authority certificate sent by the device passes the verification, the client determines that the authority certificate of the device passes the authority authentication.
It can be understood that, in the embodiment of the present application, after receiving the authority certificate sent by the client, the device may verify the validity of the authority certificate by using the verification information included in the device itself, so that, in the case that the verification is passed, a corresponding message is sent to the client, and the client may determine that the device has passed the authority authentication according to the message, and the client may further implement control over the device.
It should be noted that, in the embodiment of the present application, the authority certificate may include an authority start-stop time for controlling the authority of the device, and therefore, after determining that the authority certificate of the device has been authenticated, the client may further perform the following steps: and controlling the equipment within the permission starting and ending time.
It can be understood that, at present, the authorization time of each authority authentication object cannot be controlled, for example, it is impossible to control that a certain object fails after one day of authority authentication, and in the embodiment of the present application, the authority start and end time is limited in the authority certificate, so that the duration of the authority can be limited.
Fig. 6 is a third schematic diagram of an exemplary interaction between a server and a client according to an embodiment of the present application. As shown in fig. 6, in the embodiment of the present application, a client may first establish a secure channel with a device, and then send an authority certificate to the device through the secure channel, so that the device verifies the validity of the authority certificate by using verification information, and when the authority certificate passes the verification, the client knows that the authority certificate passes the authority authentication, and may further control the device.
The embodiment of the application also provides a server. Fig. 7 is a first schematic structural diagram of a server according to an embodiment of the present application. As shown in fig. 7, the server includes: a certificate generation module 701 and a first communication module 702;
the certificate generating module 701 is configured to generate a first certificate for granting control over the device authority to a second client in response to the first communication module 702 receiving a first request, sent by a first client, for sharing the device with the second client; the first client side has the authority to control the equipment;
the first communication module 702 is configured to send the first certificate to the second client; the first certificate is used for the second client to request permission authentication from the equipment.
In an embodiment of the present application, the server further includes: a first processing module 703 (not shown);
the first processing module 703 is configured to associate the first client with the device;
the certificate generating module 701 is further configured to generate a second certificate for granting the first client the authority to control the device, and verification information; the verification information is used for verifying the legality of the received certificate by the equipment;
the first communication module 702 is further configured to send the second certificate to the first client, and send the verification information to the device.
In an embodiment of the present application, the first processing module 703 is further configured to check feasibility of establishing association between the first client and the device in response to the first communication module 702 receiving a second request, sent by the first client, for establishing association with the device;
the first communication module 702 is further configured to send, to the first client, a response allowing the first client to establish association with the device if the checking result is feasible; and receiving an association request sent by the equipment based on the association establishment parameters, and associating the first client with the equipment according to the association request.
In an embodiment of the present application, the first certificate and/or the second certificate include an authority start-stop time for controlling the authority of the device.
Fig. 8 is a schematic structural diagram of a server according to an embodiment of the present application. As shown in fig. 8, the server includes a first processor 801, a first memory 802, and a first communication bus 803;
the first communication bus 803 is used for realizing communication connection between the first processor 801 and the first memory 802;
the first processor 801 is configured to execute the first authentication program stored in the first memory 802, so as to implement the above-mentioned right authentication method applied to the server.
The embodiment of the application provides a first client. Fig. 9 is a first schematic structural diagram of a first client according to an embodiment of the present application. As shown in fig. 9, the first client includes:
a permission obtaining module 901, configured to obtain a control permission for the device;
a second communication module 902, configured to send, to the server, a first request for sharing the device with the second client; the first request is used for requesting the server to generate a first certificate for granting the second client the right to control the equipment; the first certificate is used for the second client to request permission authentication from the equipment.
In an embodiment of the present application, the second communication module 902 is further configured to send a second request for establishing association with the device to the server;
the second communication module 902 is further configured to send, when receiving a response that the server allows the first client to establish an association with the device, an association establishment parameter to the device, where the association establishment parameter is used for the first client to establish an association with the device;
the authority acquiring module 901 receives the second certificate sent by the server through the second communication module 902, so as to obtain the control authority for the device; the second certificate is a certificate which is used for the server to grant the first client side with the authority for controlling the equipment.
Fig. 10 is a schematic structural diagram of a second client according to an embodiment of the present application. As shown in fig. 10, the first client includes a second processor 1001, a second memory 1002, and a second communication bus 1003;
the second communication bus 1003 is used for realizing communication connection between the second processor 1001 and the second memory 1002;
the second processor 1001 is configured to execute the second authentication program stored in the second memory 1002, so as to implement the above-mentioned right authentication method applied to the first client.
The embodiment of the application provides a client. Fig. 11 is a first schematic structural diagram of a client according to an embodiment of the present application. As shown in fig. 11, the client includes:
a third communication module 1101, configured to send the authority certificate to the device when receiving the authority certificate sent by the server; the authority certificate is a certificate which grants the authority of controlling the equipment to the client;
a permission determining module 1102, configured to determine that the permission authentication of the device has been passed when the third communication module 1101 receives a message that the permission certificate sent by the device passes verification.
In an embodiment of the present application, the third communication module 1101 is further configured to establish a secure channel with the device; the secure channel is a channel for sending the authority certificate to the device and receiving a message that the authority certificate passes the verification.
In an embodiment of the present application, the permission certificate includes a permission start-stop time, and the client further includes: a device control module 1103 (not shown in the figure);
the device control module 1103 is configured to control the device within the permission start-stop time.
Fig. 12 is a schematic structural diagram of a client according to an embodiment of the present application. As shown in fig. 12, the client includes a third processor 1201, a third memory 1202, and a third communication bus 1203;
the third communication bus 1203 is configured to implement a communication connection between the third processor 1201 and the third memory 1202;
the third processor 1201 is configured to execute a third authentication program stored in the third memory 1202 to implement the above-described authorization authentication method applied to the client.
An embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the above-mentioned method for right authentication. The computer-readable storage medium may be a volatile Memory (volatile Memory), such as a Random-Access Memory (RAM); or a non-volatile Memory (non-volatile Memory), such as a Read-Only Memory (ROM), a flash Memory (flash Memory), a Hard Disk (Hard Disk Drive, HDD) or a Solid-State Drive (SSD); or may be a respective device, such as a mobile phone, computer, tablet device, personal digital assistant, etc., that includes one or any combination of the above-mentioned memories.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of implementations of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart block or blocks in the flowchart and/or block diagram block or blocks.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (16)
1. An authority authentication method applied to a server is characterized by comprising the following steps:
in response to receiving a first request sent by a first client and used for sharing equipment to a second client, generating a first certificate for granting the second client to control equipment permission; the first client side has the authority to control the equipment;
after generating a first certificate granting the second client the authority to control the device, sending the first certificate to the second client; the first certificate is used for the second client to request permission authentication from the equipment;
wherein, before the generating of the first certificate granting the second client the right to control the device, the method further comprises:
generating a second certificate granting the first client side to control the equipment authority, and verification information, wherein the verification information is used for the equipment to carry out validity verification on the received first certificate;
and sending the second certificate to the first client, and sending the verification information to the equipment.
2. The method of claim 1, wherein prior to the generating the first certificate granting the second client the right to control the device, the method further comprises:
associating the first client with the device.
3. The method of claim 2, wherein associating the first client with the device comprises:
in response to receiving a second request sent by the first client to establish an association with the device, checking feasibility of establishing the association of the first client with the device;
if the checking result is feasible, sending a response to the first client, wherein the response allows the first client to establish the association with the equipment;
and receiving an association request sent by the equipment based on the association establishment parameters, and associating the first client with the equipment according to the association request.
4. Method according to claim 2, characterized in that said first certificate and/or said second certificate contains a start-stop time of the right to control said device right.
5. A permission authentication method is applied to a first client, and is characterized by comprising the following steps:
acquiring a control authority of the equipment;
sending a first request for sharing the equipment to a second client to a server; the first request is used for requesting the server to generate a first certificate for granting the control equipment authority to the second client, and the first certificate is sent to the second client; the first certificate is used for requesting authority authentication to the equipment through the second client, and the equipment carries out validity check on the first certificate by using check information generated and sent by the server;
wherein the acquiring the control authority of the device comprises:
receiving a second certificate sent by the server to obtain a control authority of the equipment; the second certificate is a certificate which is used for the server to grant the first client side with the authority for controlling the equipment.
6. The method of claim 5, wherein obtaining control authority over the device comprises:
sending a second request to the server to establish an association with the device;
when a response that the server allows the first client to establish the association with the device is received, sending association establishment parameters to the device; the association establishment parameter is used for the first client to establish association with the device.
7. A permission authentication method is applied to a second client, and is characterized by comprising the following steps:
when a first certificate sent by a server is received, sending the first certificate to a device; the first certificate is a certificate which is used for the server to grant control equipment authority to the second client; the first certificate is generated after the server receives a first request, sent by a first client, for sharing the equipment to the second client; the equipment is used for carrying out validity check on the first certificate by using the check information generated and sent by the server; the control authority of the first client to the equipment is obtained by receiving a second certificate sent by the server; the second certificate is a certificate which is used for granting the first client side with the authority to control the equipment by the server;
when receiving a message that the first certificate sent by the device is verified, determining that the authority authentication of the device is passed.
8. The method of claim 7, wherein prior to sending the first certificate to the device, the method further comprises:
establishing a secure channel with the device; the secure channel is a channel through which the second client sends the first certificate to the device and receives a message that the first certificate passes verification.
9. The method of claim 7, wherein the first certificate includes a permission start-stop time, and wherein after determining that the permission of the device has been authenticated, the method further comprises:
and controlling the equipment within the permission start-stop time.
10. A server, comprising: a certificate generation module and a first communication module;
the certificate generation module is used for responding to a first request sent by a first client and used for sharing equipment to a second client, and the first communication module generates a first certificate for granting the second client with the equipment control authority; the first client side has the authority to control the equipment;
the first communication module is configured to send the first certificate to the second client after the certificate generation module generates a first certificate granting the second client the right to control the device; the first certificate is used for requesting authority authentication from the second client to the equipment;
the certificate generating module is further configured to generate a second certificate granting the device authority control to the first client and verification information before generating a first certificate granting the device authority control to the second client, where the verification information is used for performing validity verification on the received first certificate by the device;
the first communication module is further configured to send the second certificate to the first client, and send the verification information to the device.
11. A server, comprising a first processor, a first memory, and a first communication bus;
the first communication bus is used for realizing communication connection between the first processor and the first memory;
the first processor is configured to execute a first authentication program stored in the first memory to implement the rights authentication method as claimed in any one of claims 1 to 4.
12. A first client, comprising:
the authority acquisition module is used for acquiring the control authority of the equipment;
the second communication module is used for sending a first request for sharing the equipment to a second client to the server; the first request is used for requesting the server to generate a first certificate for granting the control equipment authority to the second client, and the first certificate is sent to the second client; the first certificate is used for requesting authority authentication from the second client to the equipment, and the equipment carries out validity check on the first certificate by using check information generated and sent by the server;
the second communication module is further used for receiving a second certificate sent by the server to obtain a control authority of the device; the second certificate is a certificate which is used for granting the first client side with the authority to control the equipment by the server.
13. A first client, wherein the first client comprises a second processor, a second memory, and a second communication bus;
the second communication bus is used for realizing communication connection between the second processor and the second memory;
the second processor, configured to execute a second authentication program stored in the second memory, so as to implement the rights authentication method according to any one of claims 5 to 6.
14. A second client, comprising:
the third communication module is used for sending the first certificate to the equipment when receiving the first certificate sent by the server; the first certificate is a certificate which is generated after the server receives a first request which is sent by a first client and shares the equipment to the second client; the equipment is used for carrying out validity check on the first certificate by using the check information generated and sent by the server; the control authority of the first client to the equipment is obtained by receiving a second certificate sent by the server; the second certificate is a certificate which is used for the server to grant the first client side with the authority for controlling the equipment;
and the authority determining module is used for determining that the authority authentication of the equipment is passed when the third communication module receives a message that the first certificate sent by the equipment passes the verification.
15. A second client, wherein the second client comprises a third processor, a third memory, and a third communication bus;
the third communication bus is used for realizing communication connection between the third processor and the third memory;
the third processor is configured to execute a third authentication program stored in the third memory to implement the rights authentication method according to any one of claims 7 to 9.
16. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the rights authentication method according to any one of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010896227.4A CN111970306B (en) | 2020-08-31 | 2020-08-31 | Authority authentication method, server, client and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010896227.4A CN111970306B (en) | 2020-08-31 | 2020-08-31 | Authority authentication method, server, client and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111970306A CN111970306A (en) | 2020-11-20 |
| CN111970306B true CN111970306B (en) | 2022-11-04 |
Family
ID=73399497
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010896227.4A Active CN111970306B (en) | 2020-08-31 | 2020-08-31 | Authority authentication method, server, client and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111970306B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023240587A1 (en) * | 2022-06-17 | 2023-12-21 | Oppo广东移动通信有限公司 | Device permission configuration method and apparatus, and terminal device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107070863A (en) * | 2016-01-29 | 2017-08-18 | 谷歌公司 | Local device certification |
| CN107612870A (en) * | 2016-07-11 | 2018-01-19 | 香港理工大学深圳研究院 | Delegable method, server, terminal and the internet of things equipment of internet of things equipment |
| CN110687819A (en) * | 2019-11-06 | 2020-01-14 | 宁波智轩物联网科技有限公司 | Residential management system based on intelligent home system |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP6198477B2 (en) * | 2013-06-21 | 2017-09-20 | キヤノン株式会社 | Authority transfer system, authorization server system, control method, and program |
| FR3057085A1 (en) * | 2016-09-30 | 2018-04-06 | Orange | CONTROL OF DELEGATION OF RIGHTS |
| CN106992989B (en) * | 2017-05-17 | 2020-06-23 | 广东美的制冷设备有限公司 | Sharing authorization method of smart home, server and readable storage medium |
| CN109587101B (en) * | 2017-09-29 | 2021-04-13 | 腾讯科技(深圳)有限公司 | Digital certificate management method, device and storage medium |
-
2020
- 2020-08-31 CN CN202010896227.4A patent/CN111970306B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107070863A (en) * | 2016-01-29 | 2017-08-18 | 谷歌公司 | Local device certification |
| CN107612870A (en) * | 2016-07-11 | 2018-01-19 | 香港理工大学深圳研究院 | Delegable method, server, terminal and the internet of things equipment of internet of things equipment |
| CN110687819A (en) * | 2019-11-06 | 2020-01-14 | 宁波智轩物联网科技有限公司 | Residential management system based on intelligent home system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111970306A (en) | 2020-11-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10187797B2 (en) | Code-based authorization of mobile device | |
| EP3723399A1 (en) | Identity verification method and apparatus | |
| CN108964885B (en) | Authentication method, device, system and storage medium | |
| CN109005155B (en) | Identity authentication method and device | |
| US8590024B2 (en) | Method for generating digital fingerprint using pseudo random number code | |
| EP2905719B1 (en) | Device and method certificate generation | |
| KR20160112895A (en) | Method and apparatus for performing secure bluetooth communication | |
| CN109344628B (en) | Method for managing trusted nodes in block chain network, nodes and storage medium | |
| CN103905401A (en) | Identity authentication method and device | |
| CN114567447B (en) | Data sharing management method and device based on cloud server | |
| CN110069909B (en) | Method and device for login of third-party system without secret | |
| CN113572728B (en) | Method, device, equipment and medium for authenticating Internet of things equipment | |
| CN111800377B (en) | Mobile terminal identity authentication system based on safe multi-party calculation | |
| KR20110083886A (en) | Apparatus and method for other portable terminal authentication in portable terminal | |
| CN112995967A (en) | Identity information authentication method, client, charging pile, server and system | |
| CN111949967A (en) | Equipment authentication method and device, electronic equipment, server and storage medium | |
| CN111800378A (en) | Login authentication method, device, system and storage medium | |
| KR100506528B1 (en) | Mobile terminals control system using digital signature and control method thereof | |
| CN111970306B (en) | Authority authentication method, server, client and storage medium | |
| CN111901359B (en) | Resource account authorization method, device, system, computer equipment and medium | |
| CN103384248B (en) | A kind of method that can prevent Hacker Program from again logging in | |
| US10671717B2 (en) | Communication device, communication method and computer program | |
| CN110851804B (en) | Alliance chain identity authentication mode based on electronic contract | |
| US10194033B2 (en) | Charging record authentication for anonymized network service utilization | |
| CN113114610A (en) | Stream taking method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |