WO2022170583A1

WO2022170583A1 - Permission configuration method and apparatus in internet of things, device, and storage medium

Info

Publication number: WO2022170583A1
Application number: PCT/CN2021/076574
Authority: WO
Inventors: 茹昭; 张军; 吕小强; 包永明
Original assignee: Oppo广东移动通信有限公司
Priority date: 2021-02-10
Filing date: 2021-02-10
Publication date: 2022-08-18
Also published as: CN116325661A

Abstract

The present application belongs to the technical field of Internet of Things. Disclosed are a permission configuration method and apparatus in the Internet of Things, a device, and a storage medium. Said method is executed by a first client device, and the first client device has a management permission for a server device. Said method comprises: sending to a second client device a first verification request comprising a first random value; receiving first verification information sent by the second client device, wherein the first verification information is generated on the basis of the first random value; verifying the first verification information; and when the first verification information passes the verification, triggering, by means of configuration triggering information, the server device to open a permission to the second client device. This solution can avoid a situation in which an access control permission for a server device is shared with an invalid client device, improving the security of access control permission sharing of the server device.

Description

Permission configuration method, device, device and storage medium in Internet of Things

technical field

The present application relates to the technical field of the Internet of Things, and in particular, to a method, apparatus, device, and storage medium for rights configuration in the Internet of Things.

Background technique

In the Internet of Things (IOT), the user can remotely control the functional operation of the server device through the client device.

In the related art, the administrator of the server device can share the access control authority of the server device to other users. The process of sharing the access control authority of the server device is as follows: the client device of the manager of the server device generates an activation token, and provides the activation token to the server device and the client device of the shareee respectively; After the client device of the shareee and the server device are authenticated through the activation token and a secure connection is established, the access control authority of the client device of the shareee to the server device is configured.

However, in the related art, if the activation token is sent to an illegal client device, the server device will be controlled by the illegal client device, which affects the security of access control authority sharing of the server device.

SUMMARY OF THE INVENTION

Embodiments of the present application provide a method, apparatus, device, and storage medium for rights configuration in the Internet of Things. The technical solution is as follows:

On the one hand, an embodiment of the present application provides a method for configuring rights in the Internet of Things, where the method is executed by a first client device, and the first client device has management rights of a server device; the method includes:

sending a first verification request to the second client device, where the first verification request includes a first random value;

receiving first verification information sent by the second client device; the first verification information is generated based on the first random value;

verifying the first verification information;

When the first verification information passes the verification, triggering the server device to open permissions to the second client device by configuring trigger information.

On the one hand, an embodiment of the present application provides a method for configuring rights in the Internet of Things, the method is executed by a second client device, and the method includes:

receiving a first verification request sent by a first client device, where the first verification request includes a first random value; the first client device has the management authority of the server device;

Send the first verification information to the first client device, so that after the first client device passes the verification of the first verification information, trigger the server device to send the first verification information to the first client device by configuring the trigger information. Two client devices open permissions; the first verification information is generated based on the first random value.

On the one hand, an embodiment of the present application provides a method for configuring rights in the Internet of Things, the method is executed by a server device, and the method includes:

Receive configuration trigger information sent by a first client device; the configuration trigger information is that the first client device sends a first verification request containing a first random value to a second client device, and receives the second client device The first verification information sent by the terminal device, and sent after the verification of the first verification information is passed; the first verification information is generated based on the first random value;

According to the configuration trigger information, the permission is opened to the second client device.

On the other hand, an embodiment of the present application provides an apparatus for configuring rights in the Internet of Things, the apparatus is used in a first client device, and the first client device has management rights of a server device; the apparatus include:

a first verification request sending module, configured to send a first verification request to the second client device, where the first verification request includes a first random value;

a first verification information receiving module, configured to receive the first verification information sent by the second client device; the first verification information is generated based on the first random value;

a first verification module, configured to verify the first verification information;

A configuration triggering module is configured to trigger the server device to open permissions to the second client device through the configuration trigger information when the first verification information passes the verification.

On the other hand, an embodiment of the present application provides an apparatus for configuring rights in the Internet of Things, where the apparatus is used in a second client device, and the apparatus includes:

A first verification request receiving module, configured to receive a first verification request sent by a first client device, where the first verification request includes a first random value; the first client device has the administrative rights;

A first verification information sending module, configured to send first verification information to the first client device, so that the first client device can configure trigger information after passing the verification of the first verification information triggering the server device to open permissions to the second client device; the first verification information is generated based on the first random value.

On the other hand, an embodiment of the present application provides an apparatus for configuring permissions in the Internet of Things, where the apparatus is used in a server device, and the apparatus includes:

a configuration trigger information receiving module, configured to receive the configuration trigger information sent by the first client device; the configuration trigger information is that the first client device sends a first check containing a first random value to the second client device request, receive the first verification information sent by the second client device, and send the first verification information after passing the verification; the first verification information is generated based on the first random value of;

A rights opening module, configured to open rights to the second client device according to the configuration trigger information.

In another aspect, an embodiment of the present application provides an IoT device, the IoT device includes a processor, a memory, and a transceiver, the memory stores a computer program, and the computer program is configured to be executed by the processor , in order to realize the above-mentioned permission configuration method in the Internet of Things.

In another aspect, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is loaded and executed by a processor to implement the above method for configuring rights in the Internet of Things.

In another aspect, the present application also provides a chip, which is used to run in an IoT device, so that the IoT device executes the above-mentioned permission configuration method in the IoT.

In yet another aspect, the present application provides a computer program product comprising computer instructions stored in a computer-readable storage medium. The processor of the Internet of Things device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the Internet of Things device executes the above-mentioned permission configuration method in the Internet of Things.

In another aspect, the present application provides a computer program, the computer program being executed by a processor of an Internet of Things device, so as to implement the above method for configuring rights in the Internet of Things.

The technical solutions provided in the embodiments of the present application can bring the following beneficial effects:

Before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then verifies the verification information to verify the second client The legitimacy of the terminal device, after verifying the legality of the second client device, share the authority of the server device with the second client device, so as to avoid sharing the access control authority of the server device to the illegal client device. situation, improve the security of the access control permission sharing of the server device.

Description of drawings

In order to illustrate the technical solutions in the embodiments of the present application more clearly, the following briefly introduces the drawings that are used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative effort.

1 is a schematic diagram of a network architecture of the Internet of Things provided by an embodiment of the present application;

2 is a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application;

3 is a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application;

FIG. 4 is a schematic diagram of a permission sharing process flow of the server device involved in the embodiment shown in FIG. 3;

FIG. 5 is a schematic diagram of a rights sharing process flow of the server device involved in the embodiment shown in FIG. 3;

6 is a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application;

Fig. 7 is a schematic diagram of a permission sharing process flow of the server device involved in the embodiment shown in Fig. 6;

8 is a block diagram of an apparatus for configuring rights in the Internet of Things provided by an embodiment of the present application;

9 is a block diagram of an apparatus for configuring rights in the Internet of Things provided by an embodiment of the present application;

10 is a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application;

FIG. 11 is a schematic structural diagram of an Internet of Things device provided by an embodiment of the present application.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.

The network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application. The evolution of new business scenarios and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.

Please refer to FIG. 1 , which shows a schematic diagram of a network architecture of the Internet of Things provided by an embodiment of the present application. The network architecture of the Internet of Things may include: a server device 110 and at least two client devices 120; optionally, the network architecture may further include a gateway device 130, a cloud server 140, and the like;

The server device 110 may be a device for providing Internet of Things functional services.

For example, the server device 110 may be a smart home device, for example, a smart lamp, a smart TV, a smart air conditioner, a smart refrigerator, a smart microwave oven, a smart rice cooker, a cleaning robot, and the like.

Alternatively, the server device 110 may be an industrial production device such as a lathe, an industrial robot, a solar panel, a wind turbine, and the like.

Alternatively, the server device 110 may be a commercial service device, such as a vending machine or the like.

Alternatively, the server device 110 may be an intelligent monitoring device, such as a monitoring camera, an infrared sensor, a sound sensor, a temperature sensor, and the like.

In a possible implementation manner, the client device 120 is a terminal device on the user side. For example, the client device may be a smart phone, a tablet computer, a smart watch, etc.; or, the client device may also be a personal computer, such as a desktop computer, a laptop computer, a personal workstation, and the like.

In another possible implementation manner, the client device 120 is a client entity (which may be a virtual entity) running based on the terminal device. An application (Application, APP) that performs operations such as access, control, and management.

Among the at least two client devices 120 , at least one client device 120 has the management authority of the server device 110 .

The gateway device 130 is a network device that realizes network interconnection above the network layer, and is also called an internet connection, a protocol converter, and the like. The gateway device 130 provides network connection services for the server device 110 .

The gateway device 130 may be a professional gateway, such as a home gateway, or the gateway device 130 may also be an access device with a gateway function, such as a router with a gateway function.

The cloud server 140 is a server deployed on the network side.

In this embodiment of the present application, the above-mentioned server device 110, client device 120, gateway device 130, and cloud server 140 may be IoT devices that meet industry standards, for example, may be IoT devices that meet the requirements of the Open Connectivity Foundation (OCF). ) specification for IoT devices.

The server device 110 and the gateway device 130 are connected through a wired or wireless network, and the cloud server 140 is respectively connected with the gateway device 130 and the client device 120 through a wired or wireless network.

Optionally, the above wired or wireless network uses standard communication technologies and/or protocols. For example, the above wired or wireless network may be a communication network based on the IoT protocol of the Internet of Things.

In the Internet of Things, different client devices may be in different Internet Ecosystems. For example, taking the Internet of Things in a smart home scenario as an example, the ecological environment of a smart home refers to a collection of devices that have the same trust center and can communicate with each other; Certificates between devices can be exchanged for device control; devices in manufacturer A's Internet ecological environment issue certificates through manufacturer A's platform. However, the device with the certificate of the platform of manufacturer A and the device with the certificate of the platform of manufacturer B cannot communicate with each other even if they are connected to the same local area network, that is, the two belong to different Internet ecological environments.

Taking the sharing of access control rights to the server device between two client devices belonging to different Internet ecological environments as an example, the process can be as follows:

S1, user Alice (Alice) triggers to turn on the configuration mode of the lamp device (Bulb).

S2, the APP installed in Alice's smartphone, that is, the APP of the A ecology generates an activation token (Onboarding Token, OT).

S3, A ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the activation token OT.

S4, after receiving the instruction, Bulb enters the configuration discovery mode.

S5, A ecological APP shares OT to the application installed in Bob's smartphone, namely B ecological APP, through out-of-band methods such as email and voice.

S6, B ecological APP discovers Bulb, uses OT to establish a secure connection, and certifies Bulb's Certification Declaration (CD).

S7, if the B ecology has not been used in the home network, the B ecology APP creates a fabric ID (fabricID) for the home network.

S8, Bulb sends a certificate signing request (Certificate Signing Request, CSR) to B ecological APP, which is recorded as CSR.bulb.

S9, the B ecological APP sends the CSR.bulb and fabricID to the B ecological certification center (Certificate Authority, CA) to request the device certificate.

S10, after the B ecological CA certification, the device certificate B.OC.bulb is generated and returned to the B ecological APP. The device certificate is also called the device operation credential (Operational Credential, OC).

S11, the B ecological APP configures the device certificate B.OC.bulb and the access control authority ACL.Bulb.B.APP1 to the Bulb. That is, add ACL.Bulb.B.APP1 to Bulb's Access Control List (ACL).

In the above scheme, A ecological APP shares OT to B ecological APP through an out-of-band mechanism, but there is no guarantee that B ecological APP has a legal identity, and illegal control equipment may be introduced. In addition, the above solutions cannot guarantee that the B ecological APP uses the OT to configure the controlled device, instead of further sharing the OT with the C ecological APP, or it may happen that the B ecological APP does not configure the device in time, resulting in the leakage of the OT.

Please refer to FIG. 2 , which shows a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application. The method can be executed interactively between a first client device, a second client device, and a server device. For example, the first client device and the second client device may be the client device 120 of the network architecture shown in FIG. 1, and the server device may be the server device 110 of the network architecture shown in FIG. 1; the method It can include the following steps:

Step 201, the first client device sends a first verification request to the second client device, where the first verification request includes a first random value; correspondingly, the second client device receives the first random value.

In a possible implementation manner, the first client device may be a client device having the management authority of the server device.

Step 202, the second client device sends first verification information to the first client device, where the first verification information is generated based on the first random value.

Step 203, the first client device verifies the first verification information.

Step 204 , when the first verification information passes the verification, the first client device triggers the server device to open the authority to the second client device by configuring the trigger information.

Step 205: The server device receives the configuration trigger information sent by the first client device, and opens the authority to the second client device according to the configuration trigger information.

To sum up, in this embodiment of the present application, before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.

In the solution disclosed in the above-mentioned embodiment shown in FIG. 2 of the present application, a channel for validating the root certificate of the second client device can be provided for the first client device.

Please refer to FIG. 3 , which shows a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application. The method can be executed interactively between a first client device, a second client device, and a server device. For example, the first client device and the second client device may be the client device 120 of the network architecture shown in FIG. 1, and the server device may be the server device 110 of the network architecture shown in FIG. 1; the method It can include the following steps:

Step 301: Establish a first secure connection between the first client device and the second client device.

In this embodiment of the present application, before the first client device shares the access control authority of the server device to the second client device, a secure connection with the second client device may be established first.

In a possible implementation manner, a direct secure connection may be established between the first client device and the second client device.

For example, the second client device may display a two-dimensional code, which carries the connection establishment information of the second client device; the first client device scans the two-dimensional code displayed by the second client device to obtain connection establishment information of the second client device; after that, the first client device and the second client device establish a first secure connection between the first client device and the second client device according to the connection establishment information .

In a possible implementation manner, a secure connection may be established between the first client device and the second client device through a cloud server, for example, a secure connection may be established through a server of an instant messaging platform.

Alternatively, in another possible implementation manner, a secure connection may be established between the first client device and the second client device through a local area network device, for example, a secure connection may be established through a routing device in the local area network.

In a possible implementation manner, the first client device and the second client device belong to different IoT ecosystems respectively. Alternatively, the above-mentioned first client device and the second client device belong to the same IoT ecosystem.

Step 302, the first client device sends a first verification request to the second client device, and the first verification request includes a first random value; correspondingly, the second client device receives the first verification request including the first random value. Verify the request.

In this embodiment of the present application, the first client device may send a first verification request including the first random value to the second client device through the first secure connection with the second client device.

Step 303, the second client device sends the first verification information to the first client device, and accordingly, the first client device receives the first verification information; the first verification information includes the first signature information, the first verification information, and the first verification information. At least one of the first root certificate and the first operation certificate of the second client device; the first signature information is obtained by signing the target data with the first private key of the second client device; the target data includes a first random Value; the first operational credential is issued through the first root certificate.

In a possible implementation manner, the target data further includes at least one of a first root certificate and a first operation certificate.

In this embodiment of the present application, the first client device may use the first private key to sign the first random value (optionally including the first root certificate and/or the first operation certificate) to obtain the above-mentioned first signature information .

In a possible implementation manner, the above-mentioned first private key may be a private key used for operation in the second client device.

In a possible implementation manner, the first operation credential is issued by a second private key of the second client device; wherein, the second private key may be the private key of the root certificate of the second client device.

In this embodiment of the present application, the second client device is provided with a first private key and a first public key for operation. In addition, the root certificate of the second client device also corresponds to a pair of public and private keys, namely the second private key and second public key.

The second client device receives the first verification request containing the first random value sent by the first client device, and can use the first private key to sign the target data. For example, the second client device can verify the first random value. Hash calculation is performed on the value of the first random value to obtain the hash value of the first random value, and then the first private key is used to encrypt the hash value of the first random value to obtain the first signature information.

In a possible implementation manner, the above-mentioned first operation credential may be issued by a cloud platform (such as a certification center) corresponding to the second client device based on the root certificate. For example, when the second client device opens the APP for the first time, it can apply for an APP certificate (ie, the above-mentioned first operation certificate) to the corresponding cloud platform, and the cloud platform issues the APP certificate for the second client device according to the root certificate.

Taking the first verification information including the first signature information, the first root certificate and the first operation credential as an example, for the process of verifying the first verification information, reference may be made to subsequent steps 304 to 306 .

Step 304, the first client device performs a legality query on the first root certificate, and obtains a legality authentication result of the first root certificate.

In a possible implementation, the root certificates of each IoT ecological environment are stored in a common blockchain (Ledger). Alternatively, the root certificates of each IoT ecosystem are stored on a common server, and the server takes security measures so that the stored root certificates can only be queried and cannot be tampered with; or, the root certificates of each IoT ecosystem are stored on their own servers. On the server, the server takes security measures so that the stored root certificate can only be queried and cannot be tampered with. Another optional solution is that the APP in each client device stores the root certificate of each IoT ecological environment, and ensures that the stored root certificate is safe and tamper-proof.

In a possible implementation manner, the above-mentioned method of performing a legality query on the first root certificate and obtaining the legality authentication result of the first root certificate may include:

1) Query the first root certificate to the blockchain, and obtain the legality authentication result of the first root certificate.

In the embodiment of the present application, when the root certificates of each IoT ecological environment are uniformly stored on the blockchain, the first client device can query the blockchain for the first root certificate to obtain the legality of the first root certificate Sexual certification results.

For example, the first client device may send the first root certificate to the blockchain, and the blockchain returns the validity authentication result of the first root certificate.

2) Querying the server corresponding to the preset address for the first root certificate, and obtaining the validity authentication result of the first root certificate.

In the embodiment of the present application, when the root certificates of each IoT ecological environment are uniformly stored in the server, the first client device stores the preset address of the server, and the first client device can, according to the preset address, The server is queried for the first root certificate, and the validity authentication result of the first root certificate is obtained.

3) Querying the server corresponding to the query address for the first root certificate, and obtaining the validity authentication result of the first root certificate; wherein, the first verification information also includes the query address.

In the embodiment of the present application, when the root certificates of each IoT ecological environment are stored in their respective servers, the first verification information returned by the second client device also carries the object where the second client device is located. The query address of the root certificate storage server corresponding to the networking ecological environment. The first client device can query the server for the first root certificate according to the query address carried in the first verification information to obtain the legality authentication of the first root certificate. result.

4) Query the first root certificate in the first client to obtain the validity authentication result of the first root certificate.

In the embodiment of the present application, if the APP in each client device stores the root certificate of each IoT ecological environment, the first client device can query the first root certificate locally, so as to obtain the legality of the first root certificate. For example, the first client device inquires whether the first root certificate has been stored locally, and if so, confirms that the first root certificate is valid, otherwise, confirms that the first root certificate is invalid.

Step 305, when the validity authentication result indicates that the first root certificate is valid, the first client device verifies the first operation certificate according to the first root certificate.

In a possible implementation manner, the above-mentioned step of verifying the first operation credential according to the first root certificate may include:

The first operation credential is verified according to the second public key of the second client device carried in the first root certificate.

In this embodiment of the present application, the first root certificate may include the public key of the root certificate of the second client device (that is, the second public key). After confirming that the first root certificate is legal, the first client device may Obtain the second public key from the first root certificate, and use the second public key to verify the first operation credential.

For example, the first client device can decrypt the signature in the APP certificate (that is, the first operation certificate) by using the second public key to obtain the hash value of the APP certificate. In addition, the first client device uses the same hash algorithm to Hash the signed APP certificate to obtain a hash value, and then compare the above two hash values. If they are the same, it is determined that the verification of the first operation credential passes, otherwise, it is determined that the verification of the first operation credential fails.

Step 306, when the first operation credential passes the verification, the first client device verifies the first signature information according to the first operation credential.

In a possible implementation manner, the above-mentioned step of verifying the first signature information according to the first operation credential includes:

The first signature information is verified according to the first public key of the second client device carried in the first operation certificate.

In this embodiment of the present application, the above-mentioned APP certificate carries a first public key (also referred to as an APP public key) corresponding to the first private key. After confirming that the APP certificate has passed the verification, the first client device may The first public key is obtained from the APP certificate, and then the first signature information is verified by using the first public key.

For example, the first client device decrypts the first signature information (signature) by using the APP public key to obtain a hash value of the first random value, and in addition, uses the same hash algorithm to hash the first random value to obtain Hash value, compare the above two hash values, if they are the same, it is determined that the verification of the first signature information passes, otherwise, it is determined that the verification of the first signature information fails.

In this embodiment of the present application, when the verification of the first signature information in the foregoing step 306 passes, it may be considered that the first verification information has passed the verification.

The foregoing steps 304 to 306 in this application are described by taking an example of successively verifying the first operation certificate and the first signature information after the first root certificate has passed the validity authentication.

Optionally, the first client device may also independently verify the first operation credential or the first signature information after the first root certificate passes the legality authentication; After the authentication, the first operation certificate is verified according to the first root certificate, or the first operation certificate is directly verified according to the first root certificate. If the first operation certificate passes the verification, it is considered that the first verification The information has passed the verification; or, the first client device may verify the first signature information directly according to the first operation credential after the first root certificate has passed the legality verification. If the verification is passed, it can be considered that the first verification information has passed the verification.

Optionally, the first client device verifies the first operation credential and the first signature information after the first root certificate passes the validity authentication, or directly verifies the first operation credential and the first signature information. The verification result of the user determines whether the first verification information passes the verification. For example, the first client device may verify the first operation credential according to the first root certificate, and at the same time, verify the first signature information according to the first operation credential. Once the signature information passes the verification, it is considered that the first verification information passes the verification.

Step 307 , when the first verification information passes the verification, the first client device triggers the server device to open the authority to the second client device by configuring the trigger information.

In this embodiment of the present application, when the first verification information passes the verification, the first client device can trigger configuration interaction between the server device and the second client device through the configuration trigger information, so that the server device can send the 2. Client device open permissions.

Step 308 , the server device receives the configuration trigger information sent by the first client device, and opens permissions to the second client device according to the configuration trigger information.

In a possible implementation manner, when the first client device sends the configuration trigger information, it may send the first configuration trigger information to the second client device, and send the second configuration trigger information to the server device; wherein, The first configuration trigger information includes the activation token; the second configuration trigger information includes the activation token and the first operation credential.

In this embodiment of the present application, the first client device may generate an activation token OT, and based on the activation token OT, send configuration trigger information to the server device and the second client device respectively, so as to trigger the server device to send the The process of opening permissions by the second client device. In one possible implementation, the process could be as follows:

S308a1, the second client device receives the first configuration trigger information sent by the first client device.

S308a2: The server device receives the second configuration trigger information sent by the first client device.

S308a3, the second client device and the server device establish a second secure connection between the second client device and the server device according to the activation token.

S308a4, the server device sends a second verification request to the second client device, where the second verification request includes the second random value, and accordingly, the second client device receives the second random value sent by the server device and includes the second random value A second verification request for the value.

The server device may send a second verification request including a second random value to the second client device through the above-mentioned second secure connection.

S308a5, the second client device sends second verification information to the server device, and accordingly, the server device receives the second verification information; the second verification information includes the first operation certificate and the fourth signature information, the fourth signature information is obtained by signing the second random value with the first private key.

S308a6, the server device verifies the second verification information according to the first operation credential included in the second configuration trigger information.

In a possible implementation manner, the above-mentioned verification of the second verification information according to the first operation credential included in the second configuration trigger information includes:

Compare the first operation credential contained in the second configuration trigger information with the first operation credential contained in the second verification information;

When the first operation certificate included in the second configuration trigger information is consistent with the first operation certificate included in the second verification information, the second signature information is verified according to the first operation certificate.

In this embodiment of the present application, after receiving the second verification information, the server device may first compare the first operation certificate in the second verification information by using the first operation certificate notified by the first client device, If the two are consistent, the second signature information is verified through the first operation certificate.

In a possible implementation manner, the verification of the second signature information according to the first operation credential includes:

The second signature information is verified according to the first public key of the second client device carried in the first operation certificate.

For example, the server device decrypts the second signature information through the APP public key to obtain a hash value of the second random value, and in addition, uses the same hash algorithm to hash the second random value to obtain a hash value, and compare If the above two hash values are the same, it is determined that the verification of the second signature information passes, otherwise, it is determined that the verification of the second signature information fails.

When the verification of the second signature information passes, it can be considered that the second verification information has passed the verification.

S308a7: After the second verification information passes the verification, the server device sends a certificate signing request to the second client device, and correspondingly, the second client device receives the certificate signing request sent by the server device.

The server device may send a certificate signing request to the second client device through the second secure connection.

S308a8, the second client device performs rights configuration in the server device according to the certificate signing request.

Wherein, the process of performing rights configuration in the server device by the second client device may include:

Send the device certificate request and the network identifier of the network corresponding to the server device to the authentication center device;

Receive the device certificate returned by the certification center device;

Configure the device certificate, the first root certificate and the access control authority information to the server device;

The access control authority information is configured in the access control list ACL of the server device, and the access control authority information includes an access control entry, the accessible data corresponding to the access control entry, and an entity that has the right to access the accessible data. , and authorized access methods.

In this embodiment of the present application, when the first client device and the second client device belong to different IoT ecosystems, the second client device needs to request the authentication center in the IoT ecosystem where it is located to assign a device certificate , and configure the device certificate, the first root certificate and the access control authority information to the server device, so as to obtain the access control capability of the server device.

Correspondingly, the server device receives the device certificate configured by the second client device, the first root certificate of the second client device, and the access control authority information.

Please refer to FIG. 4 , which shows a schematic flowchart of a permission sharing process of a server device involved in an embodiment of the present application. As shown in Figure 4, let A ecological APP be the administrator of the lamp device Bulb, and the process of adding B ecological APP as the administrator of Bulb is as follows:

S41, A ecological APP sends a verification request to B ecological APP, and the request carries a random value nonce (ie, the above-mentioned first random value).

S42 , the B ecological APP signs the nonce with the (operational) private key (ie, the above-mentioned first private key), and returns the root certificate RC.B, the APP certificate OC.B.APP and the signature Signature to the A ecological APP. Among them, the APP certificate is issued by the root certificate and is used to establish a control connection between the APP and the controlled device.

S43, after receiving the ecological APP, A, query RC.B from the blockchain (or query RC.B from the server, if the APP stores the root certificate, query RC.B from itself), and obtain the legality authentication result of RC.B.

S44 , the ecological APP of A verifies the OC.B.APP with RC.B, that is, the signature of the APP certificate OC.B.APP is verified with the public key of the root certificate (ie, the above-mentioned second public key).

S45, after OC.B.APP passes the verification, A ecological APP uses OC.B.APP to further verify the signature Signature, that is, using the APP (operation) public key in OC.B.APP (that is, the above-mentioned first public key) Verify signature.

S46, after the signature is verified, the ecological APP A notifies the user Alice, indicating that the ecological APP B is legal.

S47, the user Alice triggers to start the configuration mode of the device Bulb.

S48, A ecological APP generates a configuration token OT.

S49, A ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the configuration token OT and OC.B.APP.

S410, after receiving the instruction, Bulb enters the configuration discovery mode.

S411, A ecological APP shares OT to B ecological APP.

S412, B ecological APP discovers Bulb, uses OT to establish a secure connection, and authenticates Bulb's CD.

S413, Bulb sends a verification request to the ecological APP B, and the request carries a random value nonce2 (ie, the second random value above).

S414, the B ecological APP signs the nonce2 with the private key (the first private key), and returns the APP certificate OC.B.APP and the signature Signature2 to Bulb.

S415, Bulb confirms whether the received OC.B.APP is consistent with the OC.B.APP sent by the aforementioned A ecological APP.

S416, if the two are consistent, Bulb further verifies the signature Signature2 with OC.B.APP, that is, verifies the signature with the APP (operation) public key in OC.B.APP.

S417, after the signature Signature2 passes the verification, Bulb sends the device certificate request CSR.bulb to the B ecological APP.

S418 , the B ecological APP generates a fabricID, and sends CSR.bulb and fabricID to the B ecological CA to request a device certificate. After the B ecological CA authenticates, the device certificate B.OC.bulb is generated and returned to the B ecological APP.

S419, the B ecological APP configures the device certificate B.OC.bulb and the access control authority ACL.Bulb.B.APP1 to the Bulb.

In a possible implementation manner, when the first client device triggers the server device to open permissions to the second client device through the configuration trigger information, it sends third configuration trigger information to the server device; the second configuration trigger information contains the activation token and the first public key of the second client device.

In this embodiment of the present application, the first client device may also send configuration trigger information to the server device based on the activation token OT, so as to trigger the process of the server device opening permissions to the second client device. In one possible implementation, the process could be as follows:

S308b1, the server device receives the third configuration trigger information sent by the first client device.

S308b2, the server device encrypts the activation token according to the first public key, and obtains the encrypted activation token.

S308b3, the server device sends the encrypted activation token to the second client device. Correspondingly, the second client device receives the encrypted activation token sent by the server device.

S308b4, the second client device decrypts the encrypted activation token according to the first public key to obtain the activation token.

S308b5, the second client device and the server device establish a third secure connection between the second client device and the server device according to the activation token.

S308b6, the server device sends a certificate signing request to the second client device, and correspondingly, the second client device receives the certificate signing request sent by the server device.

Please refer to FIG. 5 , which shows a schematic flowchart of a permission sharing process of a server device involved in an embodiment of the present application. As shown in Figure 5, suppose A ecological APP is the administrator of Bulb, and the process of adding B ecological APP as the administrator of Bulb is as follows:

S51, A ecological APP sends a verification request to B ecological APP, and the request carries a random value nonce.

S52, the B ecological APP signs the nonce with the (operation) private key, and returns the root certificate RC.B, the APP certificate OC.B.APP and the signature Signature to the A ecological APP. Among them, the APP certificate is issued by the root certificate and is used to establish a control connection between the APP and the controlled device.

S53, after the ecological APP A receives it, it queries the blockchain for RC.B, and obtains the legality certification result of RC.B.

S54, A ecological APP uses RC.B to verify OC.B.APP, that is, the signature of the APP certificate OC.B.APP is verified with the public key of the root certificate.

S55, after passing, the ecological APP of A uses OC.B.APP to further verify the signature Signature, that is, to verify the signature with the APP (operation) public key in OC.B.APP.

S56, after passing, the ecological APP A informs the user Alice that the ecological APP is legal.

S57, the user Alice triggers to start the configuration mode of the device Bulb.

S58, A ecological APP generates a configuration token OT.

S59, A ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the configuration token OT and the (operational) public key PuK.B.APP of B ecological APP.

S510, B ecological APP discovers Bulb, establishes a connection, and starts security negotiation.

S511, Bulb encrypts OT with the (operation) public key PuK.B.APP of B ecological APP, and sends it to B ecological APP.

S512, B ecological APP decrypts the (operation) private key to obtain OT, and both parties use OT to establish a secure connection.

S513, B ecological APP authenticates Bulb's CD, after passing, the fabricID is generated.

S514, Bulb sends a device certificate request CSR.bulb to B ecological APP.

S515, B ecological APP sends CSR.bulb and fabricID to B ecological CA to request a device certificate. After B ecological CA certification, the device certificate B.OC.bulb is generated and returned to B ecological APP.

S516, the B ecological APP configures the device certificate B.OC.bulb and the access control authority ACL.Bulb.B.APP1 to the Bulb.

In the solution disclosed in the above-mentioned embodiment shown in FIG. 2 of the present application, the first client device and the second client device may be uniformly authenticated through a unified platform, and authentication information may be issued respectively.

Please refer to FIG. 6 , which shows a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application. The method can be executed interactively between a first client device, a second client device, and a server device. For example, the first client device and the second client device may be the client device 120 of the network architecture shown in FIG. 1, and the server device may be the server device 110 of the network architecture shown in FIG. 1; the method It can include the following steps:

Step 601: Establish a first secure connection between the first client device and the second client device.

In a possible implementation manner, the APP of each IoT ecological environment has a pair of public and private keys for authentication and a pair of public and private keys for operation. After being certified by the unified certification platform, the APP of each IoT ecological environment will obtain the corresponding certification certificate DAC.B.APP and/or certification statement CD.B.APP. DAC.B.APP contains the public key used for authentication (ie, the subsequent second public key). DAC.B.APP or CD.B.APP can be used to verify the legitimacy of the APP.

Step 602, the first client device sends a first verification request to the second client device, where the first verification request includes a first random value; correspondingly, the second client device receives a verification request including the first random value. The first verification request.

For the implementation process of the above steps 601 and 602, reference may be made to the implementation process of the steps 301 and 302 in the embodiment shown in FIG. 3 , which will not be repeated here.

Step 603, the second client device sends first verification information to the first client device, and accordingly, the first client device receives the first verification information; the first verification information includes the second client device The first root certificate, the first operation certificate, the first authentication information, the second signature information and the third signature information; the first operation certificate is issued by the first root certificate; the first authentication information is issued by the unified authentication The platform is issued after the second client device is authenticated, and the unified authentication platform is used to authenticate the first client device and the second client device; the second signature information is passed through the second client device. A private key is obtained by signing the first root certificate, the first operation certificate, and the unified authentication information; the third signature is obtained by signing the first root certificate, the first root certificate, the first The operation certificate, the unified authentication information, and the second signature information are obtained by signing.

In a possible implementation manner, the above-mentioned second private key may be the private key of the root certificate of the second client device.

In a possible implementation manner, the first operation credential is issued through the second private key of the second client device.

In a possible implementation manner, the above-mentioned unified authentication platform is used to provide unified authentication for client devices in various IoT ecological environments, and return the authentication information to the corresponding client devices. Correspondingly, the unified authentication platform can send One client device provides a service of querying the validity of the authentication information of another client device.

Step 604, the first client device performs validity verification on the first authentication information.

In a possible implementation manner, the first client device may query the unified authentication platform for the first authentication information to obtain the validity verification result of the first authentication information.

Alternatively, the first client device may also verify the validity of the first authentication information in other ways. For example, the first client device queries the unified authentication platform for the authentication information of the second client device, and receives the unified authentication platform. The returned authentication information of the second client device is compared, and the authentication information returned by the unified authentication platform is compared with the above-mentioned first authentication information. If the two are consistent, it is confirmed that the first authentication information has passed the validity check.

Step 605: After the first authentication information passes the validity check, the first client device verifies the fourth signature information through the second public key corresponding to the second private key; the second public key carries in the first authentication information.

In this embodiment of the present application, after the first authentication information passes the validity check, the first client device can obtain the second public key from the first authentication information, and use the second public key to perform verification on the fourth signature information. check.

Step 606, after the fourth signature information passes the verification, the first client device verifies the third signature information through the first public key corresponding to the first private key; the first public key is carried in the in the first operation certificate.

In this embodiment of the present application, after the fourth signature information passes the validity check, the first client device may obtain the first public key from the first operation certificate, and perform a verification process on the third signature information by using the first public key. check.

Step 607 , when the first verification information passes the verification, the first client device triggers the server device to open the authority to the second client device by configuring the trigger information.

Step 608: The server device receives the configuration trigger information sent by the first client device, and opens the authority to the second client device according to the configuration trigger information.

Wherein, for the implementation process of the above steps 607 and 608, reference may be made to the implementation process of the steps 307 and 308 in the above-mentioned embodiment shown in FIG. 3 , and details are not repeated here.

Please refer to FIG. 7 , which shows a schematic flowchart of a permission sharing process of a server device involved in an embodiment of the present application. As shown in Figure 7, suppose A ecological APP is the administrator of Bulb, and the process of adding B ecological APP as the administrator of Bulb is as follows:

S71, Bob triggers the B ecological APP to join the home network.

S72, the B ecological APP generates a QR code for pairing, and announces its existence in the network.

S73, A ecological APP obtains the two-dimensional code information of B ecological APP by scanning the code, searches for B ecological APP on the network, and uses the information in the two-dimensional code to establish a secure connection.

S74, A ecological APP sends a verification request to B ecological APP, and the request carries a random value nonce.

S75, B ecological APP signs nonce with (operation) private key, OC.B.APP, RC.B, DAC.B.APP, CD.B.APP, and obtains Signature1.

S76, B ecological APP signs nonce, OC.B.APP, RC.B, DAC.B.APP, CD.B.APP and Signature1 with the (authentication) private key to obtain Signature2.

S77, B ecological APP will return nonce, OC.B.APP, RC.B, DAC.B.APP, CD.B.APP and signature Signature1, Signature2 to A ecological APP.

S78, after receiving the ecological APP A, verify the legitimacy of DAC.B.APP and CD.B.APP, and use the authentication public key in DAC.B.APP to verify Signature2.

S79, after passing, the ecological APP A uses the public key in OC.B.APP to verify the signature Signature1, that is, the signature is verified using the APP public key in OC.B.APP.

S710, after passing, the ecological APP A notifies the user Alice, indicating that the ecological APP B is legal.

S711, the user Alice triggers to start the configuration mode of the device Bulb.

S712, A ecological APP generates a configuration token OT.

S713, A ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the configuration token OT and the public key of B ecological APP PuK.B.APP.

S714, B ecological APP discovers Bulb, establishes a connection, and starts security negotiation.

S715, Bulb encrypts OT with the public key PuK.B.APP of B ecological APP and sends it to B ecological APP.

S716, B ecological APP decrypts the OT with the private key, and the two parties use the OT to establish a secure connection.

S717, B ecological APP authenticates Bulb's CD. After passing, fabricID is generated.

S718, Bulb sends a device certificate request CSR.bulb to B ecological APP.

S719, the B ecological APP sends the CSR.bulb and fabricID to the B ecological CA to request the device certificate. After the B ecological CA is certified, the device certificate B.OC.bulb is generated and returned to the B ecological APP.

S720, B ecological APP configures the device certificate B.OC.bulb, and access control authority ACL.Bulb.B.APP1 to Bulb.

The above solution of the present application can solve the problem that the legality of the added control terminal APP cannot be confirmed during the process of adding the second ecological APP. Identity confirmation and legality verification.

The following are apparatus embodiments of the present application, which can be used to execute the method embodiments of the present application. For details not disclosed in the device embodiments of the present application, please refer to the method embodiments of the present application.

Please refer to FIG. 8 , which shows a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application. The device has the function of implementing the above example of the permission configuration method in the Internet of Things, and the function can be implemented by hardware, or by executing corresponding software in hardware. The apparatus may be the first client device described above, or may be set in the first client device. The above-mentioned first client device has the management authority of the server device. As shown in Figure 8, the apparatus may include:

A first verification request sending module 801, configured to send a first verification request to the second client device, where the first verification request includes a first random value;

a first verification information receiving module 802, configured to receive first verification information sent by the second client device; the first verification information is generated based on the first random value;

a first verification module 803, configured to verify the first verification information;

A configuration triggering module 804 is configured to trigger the server device to open permissions to the second client device through the configuration trigger information when the first verification information passes the verification.

In a possible implementation manner, the first verification information includes at least one of first signature information, a first root certificate of the second client device, and a first operation certificate; the first signature The information is obtained by signing the target data with the first private key of the second client device; the target data includes the first random value; the first operation credential is issued by the first root certificate of.

In a possible implementation manner, the target data further includes at least one of the first root certificate and the first operation certificate.

In a possible implementation manner, the first verification module 803 is configured to, when the first verification information includes the first signature information, the first root certificate and the first operation certificate hour,

Performing a legality query on the first root certificate to obtain a legality authentication result of the first root certificate;

When the validity authentication result indicates that the first root certificate is valid, verifying the first operation certificate according to the first root certificate;

When the first operation certificate passes the verification, the first signature information is verified according to the first operation certificate.

In a possible implementation manner, the first verification module 803 is configured to perform the first operation on the first operation according to the second public key of the second client device carried in the first root certificate. Credentials are verified.

In a possible implementation manner, the first verification module 803 is configured to sign the first signature according to the first public key of the second client device carried in the first operation credential information for verification.

In a possible implementation manner, the first verification module 803 is configured to:

Query the first root certificate from the blockchain, and obtain the legality authentication result of the first root certificate;

Or, query the server corresponding to the preset address for the first root certificate, and obtain the validity authentication result of the first root certificate;

Or, query the first root certificate in the first client to obtain the validity authentication result of the first root certificate.

In a possible implementation manner, the first verification information further includes a query address;

The first verification module 803 is configured to query the server corresponding to the query address for the first root certificate, and obtain the validity verification result of the first root certificate.

In a possible implementation manner, the first verification information includes a first root certificate, a first operation credential, first authentication information, second signature information, and third signature information of the second client device; The first operation certificate is issued through the first root certificate; the first authentication information is issued after the second client device is authenticated by the unified authentication platform, and the unified authentication platform is used to authenticate the second client device. The first client device and the second client device are authenticated; the second signature information is a pair of the first root certificate and the first operation credential through the first private key of the second client , the unified authentication information is signed; the third signature is obtained by using the second private key of the second client to sign the first root certificate, the first operation certificate, the unified authentication information, the obtained by signing the second signature information.

Verifying the validity of the first authentication information;

After the first authentication information passes the validity verification, the third signature information is verified by using the second public key corresponding to the second private key; the second public key is carried in the second public key. 1. In the authentication information;

After the third signature information is verified, the second signature information is verified by using the first public key corresponding to the first private key; the first public key is carried in the first operation in the certificate.

In a possible implementation manner, the configuration triggering module 804 is configured to:

sending first configuration trigger information to the second client device; the first configuration trigger information includes the configuration token;

Send second configuration trigger information to the server device; the second configuration trigger information includes the configuration token and the first operation credential.

In a possible implementation manner, the configuration triggering module 804 is configured to send third configuration trigger information to the server device; the third configuration trigger information includes the configuration token and the second configuration trigger The first public key of the client device.

In a possible implementation manner, the first client device and the second client device respectively belong to different IoT ecosystems.

In a possible implementation, the apparatus further includes:

a scanning module, configured to scan the two-dimensional code displayed by the second client device to obtain connection establishment information of the second client device;

A first connection establishment module, configured to establish a first secure connection with the second client device according to the connection establishment information.

Please refer to FIG. 9 , which shows a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application. The device has the function of implementing the above example of the permission configuration method in the Internet of Things, and the function can be implemented by hardware, or by executing corresponding software in hardware. The apparatus may be the second client device described above, or may be set in the second client device. As shown in Figure 9, the apparatus may include:

The first random value receiving module 901 is configured to receive a first verification request sent by a first client device, where the first verification request includes a first random value; the first client device has the administrative rights;

The first verification information sending module 902 is configured to send the first verification information to the first client device, so that after the first client device passes the verification of the first verification information, the configuration triggers The information triggers the server device to open permissions to the second client device; the first verification information is generated based on the first random value.

In a possible implementation, the apparatus further includes:

a first configuration trigger information receiving module, configured to receive first configuration trigger information sent by the first client device, where the first configuration trigger information includes a configuration token;

A second connection establishment module, configured to establish a second secure connection with the server device according to the configuration token;

A second verification request receiving module, configured to receive a second verification request including a second random value sent by the server device;

A second verification information sending module, configured to send second verification information to the server device, where the second verification information includes the first operation certificate and fourth signature information, the fourth signature information is obtained by signing the second random value with the first private key;

a certificate request receiving module, configured to receive a device certificate request sent by the server device, where the device certificate request is sent after the server device passes the verification of the second verification information;

A rights configuration module, configured to perform rights configuration in the server device according to the device certificate request.

In a possible implementation, the apparatus further includes:

an encrypted token receiving module, configured to receive the encrypted configuration token sent by the server device;

a decryption module, configured to decrypt the encrypted configuration token according to the first public key of the second client device to obtain the configuration token;

A third connection establishment module, configured to establish a third secure connection with the server device according to the configuration token;

a certificate request receiving module, configured to receive a device certificate request sent by the server device;

In a possible implementation manner, the permission configuration module is used to:

sending the device certificate request and the network identifier of the network corresponding to the server device to the authentication center device;

receiving the device certificate returned by the certification center device;

Configuring the device certificate, the first root certificate and access control authority information to the server device;

The access control authority information is configured in the access control list ACL of the server device, and the access control authority information includes an access control entry, the accessible data corresponding to the access control entry, the right to access the The entities that can access the data, and how access is authorized.

In a possible implementation, the apparatus further includes:

A two-dimensional code display module, used for displaying a two-dimensional code, the two-dimensional code carries the connection establishment information of the second client device;

A first connection establishment module, configured to establish a first secure connection with the first client device according to the connection establishment information.

Please refer to FIG. 10 , which shows a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application. The device has the function of implementing the above example of the permission configuration method in the Internet of Things, and the function can be implemented by hardware, or by executing corresponding software in hardware. The device can be the server device described above, or can be set in the server device. As shown in Figure 10, the apparatus may include:

A configuration trigger information receiving module 1001 is configured to receive configuration trigger information sent by a first client device; the configuration trigger information is that the first client device sends a first verification message containing a first random value to a second client device. A verification request, receiving the first verification information sent by the second client device, and sending the verification after passing the verification of the first verification information; the first verification information is based on the first random value Generated;

The authority opening module 1002 is configured to open authority to the second client device according to the configuration trigger information.

In a possible implementation manner, the configuration trigger information is second configuration trigger information including a configuration token and the first operation credential;

The permission opening module 1002 is used to:

establishing a second secure connection with the second client device based on the configuration token;

sending a second verification request including a second random value to the server device;

Receive second verification information sent by the second client device, where the second verification information includes the first operation credential and fourth signature information, and the fourth signature information is obtained through the first private key. obtained by signing the second random value with the key;

verifying the second verification information according to the first operation credential included in the second configuration trigger information;

After the second verification information passes the verification, a device certificate request is sent to the second client device, so that the second client device can perform authorization in the server device according to the device certificate request. configuration.

In a possible implementation manner, the permission opening module 1002 is configured to:

Comparing the first operation credential included in the second configuration trigger information with the first operation credential included in the second verification information;

When the first operation credential included in the second configuration trigger information is consistent with the first operation credential included in the second verification information, according to the first operation credential, The signature information is verified.

In a possible implementation manner, the permission opening module 1002 is configured to, according to the first public key of the second client device carried in the first operation credential, perform an operation on the second signature information. check.

In a possible implementation manner, the configuration trigger information is third configuration trigger information including a configuration token and a first public key of the second client device;

The permission opening module 1002 is used to:

Encrypt the configuration token according to the first public key, and obtain the encrypted configuration token;

sending the encrypted configuration token to the second client device;

establishing a third secure connection with the server device according to the configuration token;

A device certificate request is sent to the second client device, so that the second client device performs rights configuration in the server device according to the device certificate request.

In a possible implementation, the apparatus further includes:

a certificate and information receiving module, configured to receive a device certificate configured by the second client device, a first root certificate of the second client device, and access control authority information;

It should be noted that, when the device provided in the above embodiment realizes its functions, only the division of the above functional modules is used as an example for illustration. In practical applications, the above functions can be allocated to different functional modules according to actual needs. That is, the content structure of the device is divided into different functional modules to complete all or part of the functions described above.

Regarding the apparatus in the above-mentioned embodiment, the specific manner in which each module performs operations has been described in detail in the embodiment of the method, and will not be described in detail here.

Please refer to FIG. 11 , which shows a schematic structural diagram of an IoT device 1100 provided by an embodiment of the present application. The IoT device 1100 may include: a processor 1101 , a receiver 1102 , a transmitter 1103 , a memory 1104 and a bus 1105 .

The processor 1101 includes one or more processing cores, and the processor 1101 executes various functional applications and information processing by running software programs and modules.

The receiver 1102 and the transmitter 1103 may be implemented as a communication component, which may be a communication chip. The communication chip may also be referred to as a transceiver.

The memory 1104 is connected to the processor 1101 through the bus 1105 .

The memory 1104 can be used to store a computer program, and the processor 1101 is used to execute the computer program, so as to implement various steps performed by the terminal in the above method embodiments.

Additionally, memory 1104 may be implemented by any type or combination of volatile or non-volatile storage devices including, but not limited to, magnetic or optical disks, electrically erasable and programmable Read Only Memory, Erasable Programmable Read Only Memory, Static Anytime Access Memory, Read Only Memory, Magnetic Memory, Flash Memory, Programmable Read Only Memory.

In an exemplary embodiment, the IoT device includes a processor, a memory, and a transceiver (the transceiver may include a receiver and a transmitter, the receiver for receiving information and the transmitter for transmitting information);

When the IoT device is implemented as the first client device,

the transceiver, configured to send a first verification request to the second client device, where the first verification request includes a first random value;

the transceiver, configured to receive first verification information sent by the second client device; the first verification information is generated based on the first random value;

the processor, configured to verify the first verification information;

The transceiver is configured to trigger the server device to open permissions to the second client device by configuring trigger information when the first verification information passes the verification.

When the IoT device involved in the embodiment of the present application is implemented as the first client device, all the permissions executed by the first client device in the above-mentioned rights configuration method in the IoT shown in FIG. 2 , FIG. 3 or FIG. 6 may be executed. Or some steps will not be repeated here.

When the IoT device is implemented as a second client device,

The transceiver is configured to receive a first verification request including a first random value sent by a first client device; the first client device has the management authority of the server device;

The transceiver is configured to send the first verification information to the first client device, so that after the first client device passes the verification of the first verification information, the configuration trigger information is used to trigger the The server device opens permissions to the second client device; the first verification information is generated based on the first random value.

When the IoT device involved in this embodiment of the present application is implemented as a second client device, it can execute all the functions performed by the second client device in the permission configuration method in the IoT shown in FIG. 2 , FIG. 3 , or FIG. 6 above. Or some steps will not be repeated here.

When the IoT device is implemented as a server device,

The transceiver is configured to receive configuration trigger information sent by a first client device; the configuration trigger information is that the first client device sends a first verification request including a first random value to a second client device , receive the first verification information sent by the second client device, and send the verification information after passing the verification of the first verification information; the first verification information is generated based on the first random value ;

The processor is configured to open a permission to the second client device according to the configuration trigger information.

When the IoT device involved in the embodiment of the present application is implemented as a server device, all or part of the steps performed by the server device in the permission configuration method in the IoT shown in FIG. 2 , FIG. 3 or FIG. 6 may be performed, It will not be repeated here.

Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is loaded and executed by a processor to implement the above-mentioned thing shown in FIG. 2 , FIG. 3 or FIG. 6 . In the method for configuring rights in networking, the internal latter part of the steps are performed by the first client device, the second client device or the server device.

The present application also provides a chip, which is used to run in an Internet of Things device, so that the Internet of Things device executes the permission configuration method in the Internet of Things. The first client device, the second client device or the service The internal latter part of the steps performed by the end device.

The application also provides a computer program product, the computer program product or computer program comprising computer instructions stored in a computer-readable storage medium. The processor of the Internet of Things device reads the computer instruction from the computer-readable storage medium, and the processor executes the computer instruction, so that the Internet of Things device executes the permission configuration method in the Internet of Things. The internal latter part of the steps performed by the client device or the server device.

The present application also provides a computer program, the computer program is executed by the processor of the Internet of Things device, so as to realize that in the above-mentioned rights configuration method in the Internet of Things, the first client device, the second client device or the server device The internal latter part of the steps are performed.

Those skilled in the art should realize that, in one or more of the above examples, the functions described in the embodiments of the present application may be implemented by hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.

The above are only exemplary embodiments of the present application and are not intended to limit the present application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present application shall be included in the protection of the present application. within the range.

Claims

A permission configuration method in the Internet of Things, characterized in that the method is executed by a first client device, and the first client device has the management permission of a server device; the method comprises:

sending a first verification request to the second client device, where the first verification request includes a first random value;

receiving first verification information sent by the second client device; the first verification information is generated based on the first random value;

verifying the first verification information;

When the first verification information passes the verification, triggering the server device to open permissions to the second client device by configuring trigger information.
The method of claim 1, wherein:

The first verification information includes at least one of first signature information, a first root certificate of the second client device, and a first operation credential; the first signature information is obtained by the second client The target data is obtained by signing the target data with the first private key of the device; the target data includes the first random value; and the first operation credential is issued by the first root certificate.
The method of claim 2, wherein:

The target data further includes at least one of the first root certificate and the first operation certificate.
The method according to claim 2, wherein when the first verification information includes the first signature information, the first root certificate and the first operation credential, the 1. The verification information is verified, including:

Performing a legality query on the first root certificate to obtain a legality authentication result of the first root certificate;

When the validity authentication result indicates that the first root certificate is valid, verifying the first operation certificate according to the first root certificate;

When the first operation certificate passes the verification, the first signature information is verified according to the first operation certificate.
The method according to claim 4, wherein the verifying the first operation credential according to the first root certificate comprises:

The first operation credential is verified according to the second public key of the second client device carried in the first root certificate.
The method according to claim 4, wherein the verifying the first signature information according to the first operation credential comprises:

The first signature information is verified according to the first public key of the second client device carried in the first operation certificate.
The method according to claim 4, wherein the performing a legality query on the first root certificate to obtain a legality authentication result of the first root certificate, comprising:

Query the first root certificate from the blockchain, and obtain the legality authentication result of the first root certificate;

Or, query the server corresponding to the preset address for the first root certificate, and obtain the validity authentication result of the first root certificate;

Or, query the first root certificate in the first client to obtain the validity authentication result of the first root certificate.
The method according to claim 4, wherein the first verification information further includes a query address;

The performing a legality query on the first root certificate to obtain a legality authentication result of the first root certificate, including:

The first root certificate is inquired from the server corresponding to the query address, and the validity authentication result of the first root certificate is obtained.
The method of claim 1, wherein:

The first verification information includes the first root certificate, the first operation certificate, the first authentication information, the second signature information and the third signature information of the second client device; the first operation certificate is obtained through all The first root certificate is issued; the first authentication information is issued after the second client device is authenticated by a unified authentication platform, and the unified authentication platform is used to authenticate the first client device and all The second client device performs authentication; the second signature information is obtained by signing the first root certificate, the first operation certificate, and the unified authentication information with the first private key of the second client The third signature is obtained by signing the first root certificate, the first operation certificate, the unified authentication information, and the second signature information through the second private key of the second client .
The method according to claim 9, wherein the verifying the first verification information comprises:

Verifying the validity of the first authentication information;

After the first authentication information passes the validity verification, the third signature information is verified by using the second public key corresponding to the second private key; the second public key is carried in the second public key. 1. In the authentication information;

After the third signature information is verified, the second signature information is verified by using the first public key corresponding to the first private key; the first public key is carried in the first operation in the certificate.
The method according to claim 1, wherein the triggering the server device to open permissions to the second client device by configuring trigger information comprises:

sending first configuration trigger information to the second client device; the first configuration trigger information includes the configuration token;

Send second configuration trigger information to the server device; the second configuration trigger information includes the configuration token and the first operation credential.
The method according to claim 1, wherein the triggering the server device to open permissions to the second client device by configuring trigger information comprises:

Send third configuration trigger information to the server device; the third configuration trigger information includes the configuration token and the first public key of the second client device.
The method of claim 1, wherein the first client device and the second client device belong to different IoT ecosystems, respectively.
The method according to claim 1, wherein the method further comprises:

Scan the QR code displayed by the second client device to obtain the connection establishment information of the second client device;

A first secure connection with the second client device is established according to the connection establishment information.
A method for configuring rights in the Internet of Things, characterized in that the method is executed by a second client device, and the method includes:

receiving a first verification request including a first random value sent by a first client device; the first client device has the management authority of the server device;

Send the first verification information to the first client device, so that after the first client device passes the verification of the first verification information, trigger the server device to send the first verification information to the first client device by configuring the trigger information. Two client devices open permissions; the first verification information is generated based on the first random value.
The method of claim 15, wherein:

The first verification information includes at least one of first signature information, a first root certificate of the second client device, and a first operation credential; the first signature information is obtained by the second client The target data is obtained by signing the target data with the first private key of the device; the target data includes the first random value; and the first operation credential is issued by the first root certificate.
The method of claim 16, wherein:

The target data further includes at least one of the first root certificate and the first operation certificate.
The method of claim 15, wherein:

The first verification information includes the first root certificate, the first operation certificate, the first authentication information, the second signature information and the third signature information of the second client device; the first operation certificate is obtained through all The first root certificate is issued; the first authentication information is issued after the second client device is authenticated by a unified authentication platform, and the unified authentication platform is used to authenticate the first client device and all The second client device performs authentication; the second signature information is obtained by signing the first root certificate, the first operation certificate, and the unified authentication information with the first private key of the second client The third signature is obtained by signing the first root certificate, the first operation certificate, the unified authentication information, and the second signature information through the second private key of the second client .
The method of claim 15, wherein the method further comprises:

receiving first configuration trigger information sent by the first client device, where the first configuration trigger information includes a configuration token;

establishing a second secure connection with the server device according to the configuration token;

receiving a second verification request including a second random value sent by the server device;

Send second verification information to the server device, where the second verification information includes the first operation credential and fourth signature information, and the fourth signature information is paired with the first private key. obtained by signing the second random value;

Receive a device certificate request sent by the server device, where the device certificate request is sent after the server device passes the verification of the second verification information;

Perform permission configuration in the server device according to the device certificate request.
The method of claim 15, wherein the method further comprises:

receiving the encrypted configuration token sent by the server device;

Decrypt the encrypted configuration token according to the first public key of the second client device to obtain the configuration token;

establishing a third secure connection with the server device according to the configuration token;

receiving a device certificate request sent by the server device;

Perform permission configuration in the server device according to the device certificate request.
The method according to claim 19 or 20, wherein the performing permission configuration in the server device according to the device certificate request comprises:

sending the device certificate request and the network identifier of the network corresponding to the server device to the authentication center device;

receiving the device certificate returned by the certification center device;

Configuring the device certificate, the first root certificate and access control authority information to the server device;

The access control authority information is configured in the access control list ACL of the server device, and the access control authority information includes an access control entry, the accessible data corresponding to the access control entry, the right to access the The entities that can access the data, and how access is authorized.
The method of claim 15, wherein the first client device and the second client device belong to different IoT ecosystems, respectively.
The method of claim 15, wherein the method further comprises:

displaying a two-dimensional code, where the two-dimensional code carries the connection establishment information of the second client device;

According to the connection establishment information, establish a first secure connection with the first client device.
A permission configuration method in the Internet of Things, characterized in that the method is executed by a server device, and the method includes:

Receive configuration trigger information sent by a first client device; the configuration trigger information is a first verification request containing a first random value sent by the first client device to a second client device, and receive the second The first verification information sent by the client device, and sent after passing the verification of the first verification information; the first verification information is generated based on the first random value;

According to the configuration trigger information, the permission is opened to the second client device.
The method of claim 24, wherein the configuration trigger information is second configuration trigger information including a configuration token and the first operation credential;

The opening a permission to the second client device according to the configuration trigger information includes:

establishing a second secure connection with the second client device based on the configuration token;

a second verification request sent to the server device, where the second verification request includes a second random value;

Receive second verification information sent by the second client device, where the second verification information includes the first operation credential and fourth signature information, and the fourth signature information is obtained through the first private key. obtained by signing the second random value with the key;

verifying the second verification information according to the first operation credential included in the second configuration trigger information;

After the second verification information passes the verification, a device certificate request is sent to the second client device, so that the second client device can perform authorization in the server device according to the device certificate request. configuration.
The method according to claim 25, wherein the verifying the second verification information according to the first operation credential included in the second configuration trigger information comprises:

Comparing the first operation credential included in the second configuration trigger information with the first operation credential included in the second verification information;

When the first operation credential included in the second configuration trigger information is consistent with the first operation credential included in the second verification information, according to the first operation credential, The signature information is verified.
The method according to claim 26, wherein the verifying the second signature information according to the first operation credential comprises:

The second signature information is verified according to the first public key of the second client device carried in the first operation certificate.
The method of claim 24, wherein the configuration trigger information is third configuration trigger information including a configuration token and a first public key of the second client device;

The opening a permission to the second client device according to the configuration trigger information includes:

Encrypt the configuration token according to the first public key, and obtain the encrypted configuration token;

sending the encrypted configuration token to the second client device;

establishing a third secure connection with the server device according to the configuration token;

A device certificate request is sent to the second client device, so that the second client device performs rights configuration in the server device according to the device certificate request.
The method according to any one of claims 25 to 28, wherein the method further comprises:

receiving a device certificate configured by the second client device, a first root certificate of the second client device, and access control authority information;

The access control authority information is configured in the access control list ACL of the server device, and the access control authority information includes an access control entry, the accessible data corresponding to the access control entry, the right to access the The entities that can access the data, and how access is authorized.
A permission configuration device in the Internet of Things, characterized in that the device is used in a first client device, and the first client device has the management permission of the server device; the device comprises:

a first verification request sending module, configured to send a first verification request to the second client device, where the first verification request includes a first random value;

a first verification information receiving module, configured to receive the first verification information sent by the second client device; the first verification information is generated based on the first random value;

a first verification module, configured to verify the first verification information;

A configuration triggering module is configured to trigger the server device to open permissions to the second client device through the configuration trigger information when the first verification information passes the verification.
A permission configuration device in the Internet of Things, characterized in that the device is used in a second client device, and the device comprises:

a first verification request receiving module, configured to receive a first verification request including a first random value sent by a first client device; the first client device has the management authority of the server device;

A first verification information sending module, configured to send first verification information to the first client device, so that the first client device can configure trigger information after passing the verification of the first verification information triggering the server device to open permissions to the second client device; the first verification information is generated based on the first random value.
A permission configuration device in the Internet of Things, characterized in that, the device is used in a server device, and the device includes:

a configuration trigger information receiving module, configured to receive the configuration trigger information sent by the first client device; the configuration trigger information is that the first client device sends a first check containing a first random value to the second client device request, receive the first verification information sent by the second client device, and send the first verification information after passing the verification; the first verification information is generated based on the first random value of;

A rights opening module, configured to open rights to the second client device according to the configuration trigger information.
An Internet of Things device, characterized in that the Internet of Things device is implemented as a first client device, and the first client device has the management authority of a server device; the Internet of Things device includes a processor, a memory, and a transceiver. device;

the transceiver, configured to send a first verification request to the second client device, where the first verification request includes a first random value;

the transceiver, configured to receive first verification information sent by the second client device; the first verification information is generated based on the first random value;

the processor, configured to verify the first verification information;

The transceiver is configured to trigger the server device to open permissions to the second client device by configuring trigger information when the first verification information passes the verification.
An Internet of Things device, characterized in that the Internet of Things device is implemented as a second client device, and the Internet of Things device includes a processor, a memory, and a transceiver;

The transceiver is configured to receive a first verification request including a first random value sent by a first client device; the first client device has the management authority of the server device;

The transceiver is configured to send the first verification information to the first client device, so that after the first client device passes the verification of the first verification information, the configuration trigger information is used to trigger the The server device opens permissions to the second client device; the first verification information is generated based on the first random value.
An Internet of Things device, characterized in that the Internet of Things device is implemented as a server device, and the Internet of Things device includes a processor, a memory, and a transceiver;

The transceiver is configured to receive configuration trigger information sent by a first client device; the configuration trigger information is that the first client device sends a first verification request including a first random value to a second client device , receive the first verification information sent by the second client device, and send the verification information after passing the verification of the first verification information; the first verification information is generated based on the first random value ;

The processor is configured to open a permission to the second client device according to the configuration trigger information.
A computer-readable storage medium, characterized in that a computer program is stored in the storage medium, and the computer program is used to be executed by a processor to implement the Internet of Things according to any one of claims 1 to 29. Permission configuration method.
A chip, characterized in that the chip is used to run in an IoT device, so that the IoT device executes the permission configuration method in the IoT according to any one of claims 1 to 29.
A computer program product, characterized in that the computer program product includes computer instructions, and the computer instructions are stored in a computer-readable storage medium; the processor of the Internet of Things device reads the computer-readable storage medium from the computer-readable storage medium. computer instructions, and executing the computer instructions causes the Internet of Things device to execute the method for configuring rights in the Internet of Things according to any one of claims 1 to 29.
A computer program, characterized in that the computer program is executed by a processor of an Internet of Things device to implement the method for configuring rights in the Internet of Things according to any one of claims 1 to 29.