WO2023273277A1 - Robot authentication system and method - Google Patents

Robot authentication system and method Download PDF

Info

Publication number
WO2023273277A1
WO2023273277A1 PCT/CN2021/143775 CN2021143775W WO2023273277A1 WO 2023273277 A1 WO2023273277 A1 WO 2023273277A1 CN 2021143775 W CN2021143775 W CN 2021143775W WO 2023273277 A1 WO2023273277 A1 WO 2023273277A1
Authority
WO
WIPO (PCT)
Prior art keywords
robot
authentication
target
vpn
pop
Prior art date
Application number
PCT/CN2021/143775
Other languages
French (fr)
Chinese (zh)
Inventor
李冬
张跃洋
谢辉
Original Assignee
达闼机器人股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 达闼机器人股份有限公司 filed Critical 达闼机器人股份有限公司
Publication of WO2023273277A1 publication Critical patent/WO2023273277A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Definitions

  • the present disclosure relates to the technical field of robots, and in particular, to a robot authentication system and method.
  • robots have been more and more widely used in various industries.
  • the capabilities of robots are becoming stronger and stronger, which in turn leads to the gradual strengthening of the destructiveness brought about by robots when they are illegally invaded.
  • a robot account and password can be preset in the robot, so that the robot can go to the robot authentication center for authentication through the robot account and password.
  • this method still faces security risks, and also increases the burden on the robot certification center.
  • the purpose of the present disclosure is to provide a robot authentication system and method to solve the above related technical problems.
  • a robot authentication system including a plurality of virtual private network service access points VPN POP (Virtual Private Network Point Of Presence, virtual private network service access point) , each VPN POP has the robot authentication authority granted by the robot authentication center, and can obtain the blockchain ledger in the blockchain network, the blockchain ledger includes the registration information of the registered robot, and the registered The information includes a blockchain address of the robot and an identification code corresponding to the blockchain address;
  • VPN POP Virtual Private Network Point Of Presence, virtual private network service access point
  • Any one of the VPN POPs is used to receive the authentication request of the target robot, the authentication request includes first verification information and verification parameters, and the target block chain address in the verification parameters is obtained from the block chain ledger. the target identification code of the target robot, and calculate the second verification information according to the verification parameters and the target identification code;
  • the target blockchain address is the blockchain address of the target robot
  • the first verification information is calculated by the target robot based on the verification parameters and the target identification code, and in the first verification information
  • the target robot passes the authentication of the VPN POP.
  • the verification parameters include: the target robot's blockchain address, a timestamp, and a random number generated by the target robot;
  • the target robot is configured to use the target identification code as a key and the verification parameter as calculated data to obtain the first verification information through HMAC-SHA256 algorithm calculation.
  • VPN POP is also used for:
  • the robot authentication center When the target robot is authenticated by the robot authentication center, send an access token to the target robot and the robot authentication center, so that the robot authentication center sends an access token to the interactive terminal corresponding to the target robot token;
  • the access token is used for the interaction terminal to verify the interaction request of the target robot.
  • the blockchain account book also includes the registration information of the registered VPN POP, the registration information includes the blockchain address of the VPN POP and the public key of the VPN POP, and the robot authentication system Also includes:
  • the robot certification center can obtain the block chain account book in the block chain network, and the robot certification center is used to, when receiving the authentication request of the target VPN POP, based on the block chain account book registration information, determine whether the target VPN POP has been registered, and in the case of the target VPN POP registered, carry out two-way authentication with the target VPN POP; wherein, in the case of two-way authentication success, the target VPN POP has robot authentication authority;
  • the target VPN POP is also used for, when receiving the authentication request of the target robot, if it is determined that the target VPN POP has not succeeded in two-way authentication with the robot authentication center, then sending authentication exception information to the target robot;
  • the target robot is further configured to, after receiving the authentication exception information, send an authentication request to any VPN POP among the multiple VPN POPs.
  • the first authentication management terminal is a block chain node with robot registration authority, and is used to write the registration information in the registration request into the block when receiving the robot registration request chain ledger; and send the startup node information of the block chain network to the robot, wherein the registration information includes the block chain address and identification code of the robot;
  • the robot is used for storing the starting node information, and accessing the block chain network based on the starting node information.
  • the second authentication management terminal is a block chain node with robot registration authority, and is used to generate a private key, a public key, and a block corresponding to the robot when receiving a registration request from the robot.
  • chain address, identification information and identification code ; write the public key, blockchain address and identification code into the blockchain ledger as the registration information of the robot; and send the blockchain network to the robot.
  • the robot is used to store the private key, the identification information, and the startup node information, access the blockchain network based on the startup node information, and retrieve the information from the blockchain ledger based on the identification information. Obtain the blockchain address and identification code of the robot.
  • the third authentication management terminal is a block chain node with robot cancellation authority, used to determine the robot to be canceled according to the robot identification in the cancellation request when receiving the robot cancellation request, and Updating the registration information of the robot to be canceled in the blockchain account book to the cancellation status.
  • the fourth authentication management terminal is a block chain node with the registration authority of the robot certification center, and is used to write the registration information in the registration request when receiving the registration request from the robot certification center Into the blockchain account book, the registration information includes the blockchain address and public key of the robot certification center; and/or,
  • the fifth authentication management terminal is a block chain node with VPN POP registration authority, and is used to write the registration information in the registration request to the In the blockchain ledger, the registration information includes the blockchain address and public key of the VPN POP.
  • a robot authentication method for a VPN POP
  • the VPN POP has the robot authentication authority granted by the robot authentication center, and can obtain the blockchain ledger in the blockchain network
  • the blockchain account book includes the registration information of the registered robot, the registration information includes the blockchain address of the robot and the identification code corresponding to the blockchain address, and the method includes:
  • the authentication request includes first verification information and verification parameters
  • the target identification code of the target robot from the blockchain account book according to the target blockchain address in the verification parameter, and the target blockchain address is the blockchain address of the target robot;
  • the first verification information is calculated by the target robot based on the verification parameters and the target identification code.
  • the verification parameters include the target robot's blockchain address, a time stamp, and a random number generated by the target robot, and the second verification information is calculated according to the verification parameters and the target identification code.
  • the target identification code is used as a key, and the verification parameter is used as calculated data to obtain the second verification information through HMAC-SHA256 algorithm calculation.
  • the VPN POP obtains the robot authentication authority in the following manner:
  • the blockchain network includes a robot certification center, and the robot certification center can obtain the blockchain ledger in the blockchain network, and the blockchain ledger Include the registration information of the registered VPN POP, the network authentication request includes the registration verification information of the VPN POP, the registration verification information is used by the robot authentication center to determine whether the VPN POP is registered, and When the POP is registered, initiate a two-way authentication process with the VPN POP;
  • the VPN POP obtains the authentication authority of the robot.
  • a robot authentication method for a target robot comprising:
  • the verification parameters including the block chain address of the target robot
  • any of the VPN POPs has the robot certification authority granted by the robot certification center, and can obtain the blockchain ledger in the blockchain network, the blockchain ledger includes the registration information of the registered robot, and the The registration information includes the blockchain address of the robot and the identification code corresponding to the blockchain address; the VPN POP obtains the blockchain account book based on the target blockchain address in the verification parameter.
  • the target identification code of the target robot and calculate the second verification information according to the verification parameters and the target identification code.
  • the target robot passes Authentication of the VPN POP.
  • a computer program including computer readable code, when the computer readable code is run on a computing processing device, the computing processing device is made to perform any of the above-mentioned second aspects. one of the methods described.
  • a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the steps of any one of the methods described in the above-mentioned second aspect are implemented.
  • a computing processing device including:
  • a processor configured to execute the computer program in the memory, so as to implement the steps of any one of the methods in the second aspect above.
  • a computer program including computer readable code, which, when the computer readable code is run on a computing processing device, causes the computing processing device to execute the program described in the third aspect above. described method.
  • a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the steps of the method described in the above-mentioned third aspect are implemented.
  • a computing processing device including:
  • a processor configured to execute the computer program in the memory, so as to implement the steps of the method in the above third aspect.
  • the above technical solution sets multiple VPN POPs in the blockchain network, and each of the VPN POPs has the robot authentication authority granted by the robot authentication center. In this way, any of the VPN POPs can perform network authentication on registered robots, thereby avoiding performance bottlenecks and security risks faced by a single robot authentication center when performing robot authentication.
  • the robot certification center no longer needs to maintain the registration information of the robot. Adopting such a method can reduce the complexity of the robot certification center, and also help to improve the reliability of the robot certification center.
  • Fig. 1 is a schematic diagram of a scenario of robot authentication shown in an exemplary embodiment of the present disclosure.
  • Fig. 2 is a schematic diagram of a robot authentication system shown in an exemplary embodiment of the present disclosure.
  • Fig. 3 is a schematic diagram of a robot authentication system shown in an exemplary embodiment of the present disclosure.
  • Fig. 4 is a flow chart of a robot authentication method shown in an exemplary embodiment of the present disclosure.
  • Fig. 5 is a flowchart of a robot authentication method shown in an exemplary embodiment of the present disclosure.
  • Fig. 6 is a schematic structural diagram of a computing processing device shown in an exemplary embodiment of the present disclosure.
  • Fig. 7 is a schematic diagram of a program code storage unit for implementing the method of the present disclosure shown in an exemplary embodiment of the present disclosure.
  • Fig. 8 is a schematic structural diagram of a computing processing device shown in an exemplary embodiment of the present disclosure.
  • Fig. 9 is a schematic diagram of a program code storage unit for implementing the method of the present disclosure shown in an exemplary embodiment of the present disclosure.
  • a robot account and password can be preset in the robot, so that the robot can go to the robot authentication center for authentication through the robot account and password.
  • a symmetric key in the robot (the symmetric key is different in each robot), and save the preset symmetric key of the robots within its management scope in the robot certification center.
  • bots can be authenticated in a manner similar to authentication for mobile network access.
  • the robot certification center is a centralized component that manages, stores and maintains the account and password information of all robots. Once the robot certification center is out of control, the robot may be counterfeited. At the same time, when the robot certification center stops its service due to related reasons (natural disasters, power outages, etc.), it may also happen that the robot cannot be certified, which will affect business availability. In addition, since all robot certifications are performed in the robot certification center, the complexity of the robot certification center is relatively high. Moreover, in the case of a large number of robots, the robot certification center may also have a performance bottleneck.
  • the present disclosure provides a robot authentication system
  • the system includes a plurality of virtual private network service access points VPN POP
  • each VPN POP has the robot authentication authority granted by the robot authentication center.
  • the robot certification center can be set as a node in the blockchain network, for example.
  • the number of VPN POPs can be 3, and each of the VPN POPs can be used as a node in the blockchain network to communicate with other areas in the blockchain network.
  • Block chain nodes (shown as block chain node 1 in the figure) interact.
  • the VPN POP can obtain the blockchain ledger in the blockchain network, and the blockchain ledger includes the registration information of the registered robot.
  • the registration information may include, for example, a blockchain address of the robot and an identification code corresponding to the blockchain address.
  • the identification code can be the corresponding PIN (Personal Identification Number, personal identification code) code of each robot, and keep the identification codes between the robots different.
  • the robot can generate a public key, a private key, and an identification code, and generate a blockchain address based on the public key. In this way, the robot can be registered based on the blockchain address and identification code. After successful registration, the robot's blockchain address and identification code are written into the blockchain ledger.
  • the robot's registration information may also include robot-related information, such as robot type, public key, robot ID (Identity document, identity mark), etc., which is not limited in the present disclosure.
  • any one of the VPN POPs is used to receive the authentication request of the target robot, the authentication request includes the first verification information and verification parameters, according to the target blockchain address in the verification parameters from the blockchain account book Obtain the target identification code of the target robot, and calculate the second verification information according to the verification parameters and the target identification code;
  • the target blockchain address is the blockchain address of the target robot
  • the first verification information is calculated by the target robot based on the verification parameters and the target identification code.
  • the verification parameters may include: a target blockchain address, a timestamp, and a random number generated by the target robot;
  • the target robot is used to use the target identification code as a key and the verification parameter as calculated data to obtain the first verification information through HMAC-SHA256 algorithm calculation.
  • the target robot can obtain its own target blockchain address robot-did, identification code pin-code, and local timestamp timestamp (for example, it can be relative to the timestamp of January 1, 1970 at 0:00:00) , the length is 8 bytes, the unit is millisecond, GMT+00:00), and a random number random (such as 32 bytes) is generated.
  • the target robot can calculate the HMAC result mac1 (32 bytes) based on the HMAC-SHA256 algorithm, using the pin-code as the HMAC key and random
  • means splicing.
  • the target robot can send an authentication request to the VPN POP, and the authentication request includes the first verification information mac1, the target blockchain address robot-did, random number random and timestamp.
  • the robot can also splice mac1, random, timestamp, and robot-id to obtain OTP (One Time Password, one-time password).
  • OTP One Time Password, one-time password.
  • the authentication request includes the OTP.
  • the VPN POP After receiving the authentication request from the target robot, the VPN POP can analyze and obtain the target blockchain address robot-did, random number random and timestamp. And the target identification code of the target robot is obtained from the blockchain ledger based on the target blockchain address. In this way, VPN POP can also be based on the HMAC-SHA256 algorithm, use the obtained pin-code as the HMAC key, use random
  • the VPN POP can authenticate the target robot. For example, if the first verification information is the same as the second verification information, the target robot is authenticated by the VPN POP. If the first verification information is different from the second verification information, the authentication fails.
  • the above embodiments illustrate the robot authentication process of the present disclosure by taking verification parameters as an example of a target blockchain address, a timestamp, and a random number generated by the target robot.
  • the above parameters may also be adjusted accordingly (for example, adding relevant robot information).
  • the one-way hash function used in HMAC may not be limited to the above example, and a related high-strength one-way hash function (such as SHA-1) may also be used in HMAC, which is not limited in the present disclosure.
  • the above technical solution sets multiple VPN POPs in the blockchain network, and each of the VPN POPs has the robot authentication authority granted by the robot authentication center. In this way, any of the VPN POPs can perform network authentication on registered robots, thereby avoiding the performance bottleneck problem faced by a single robot authentication center when performing robot authentication and the security risks caused by centralization.
  • the robot certification center no longer needs to maintain the registration information of the robot. Adopting such a method can reduce the complexity of the robot certification center, and also help to improve the reliability of the robot certification center.
  • VPN POP is also used for:
  • an access token (access-token) is sent to the target robot and the robot certification center, so that the robot certification center can provide the corresponding
  • the interactive end sends the access token.
  • the robot authentication center may be a system component of the service side, and by sending an access token to the robot authentication center, the robot authentication center may further send an access token to the interaction terminal corresponding to the target robot.
  • the interaction end may be, for example, a robot management system, a business system, etc. involved in the target robot.
  • the access token is used by the interaction terminal to verify the interaction request of the target robot.
  • the access token may also correspond to the robot's identity (such as an ID number).
  • the VPN POP may also send the identity of the target robot and the corresponding access token to the robot authentication center when the target robot is authenticated.
  • the robot authentication center may send the identity of the target robot and the corresponding access token to the interaction terminal corresponding to the target robot.
  • the access token may also include a corresponding validity period, such as 1 hour, 1 day, and so on.
  • a corresponding validity period such as 1 hour, 1 day, and so on.
  • the target robot can interact with the robot interaction terminal through the access token. After the validity of the access token expires, the target robot needs to re-authenticate with the VPN POP according to the above process.
  • Fig. 2 is a schematic diagram of a robot authentication system shown in the present disclosure.
  • the blockchain account book also includes the registration information of the registered VPN POP, and the registration information includes the VPN POP blockchain address and the public key of the VPN POP, the robot authentication system also includes:
  • the robot certification center can obtain the block chain account book in the block chain network, and the robot certification center is used to, when receiving the authentication request of the target VPN POP, based on the block chain account book registration information, determine whether the target VPN POP has been registered, and in the case of the target VPN POP registered, carry out two-way authentication with the target VPN POP; wherein, in the case of two-way authentication success, the target VPN POP has robot authentication authority.
  • the target VPN POP may send a network authentication request to the robot authentication center, and the network authentication request may include, for example, the second block chain address and the second random number A of the target VPN POP.
  • the robot certification center can query the second blockchain address in the blockchain ledger.
  • the robot authentication center does not find the address of the second block chain, it can be determined that the target VPN POP is not registered, so that the authentication process can be terminated.
  • the robot authentication center inquires about the second blockchain address, it can be determined that the target VPN POP has been registered, and then a two-way authentication process can be initiated.
  • the robot certification center can send the first random number B and the first blockchain address of the robot certification center to the target VPN POP.
  • the target VPN POP can receive the first random number B and the first blockchain address, and sign the first random number B based on the private key of the target VPN POP, obtain the signature result SIGN(A), and send SIGN(A) to the Robot Certification Center.
  • the robot certification center can obtain the public key PK(A) of the target VPN POP by querying the blockchain account book based on the second blockchain address, and decrypt and verify the SIGN(A) through the public key PK(A) .
  • the decryption fails and/or the decryption result is not the first random number B
  • the authentication fails and the authentication process is terminated.
  • the robot certification center can sign the second random number A based on its own private key to obtain SIGN (B), and send SIGN (B) to the target VPN POP, so that the target VPN POP can issue a signature to the target VPN POP.
  • Certification by Robot Certification Center is provided by Robot Certification Center.
  • the target VPN POP can obtain the public key PK(B) of the robot certification center by querying the blockchain ledger based on the first blockchain address, and use the public key PK(B) to SIGN(B) Perform decryption verification.
  • the decryption is successful and the decryption result is the second random number A, the authentication is successful.
  • the decryption fails and/or the decryption result is not the second random number A the authentication fails.
  • the target VPN POP is also used to send authentication exception information to the target robot if it is determined that the target VPN POP has not successfully authenticated with the robot authentication center when receiving the authentication request from the target robot ;
  • the target robot is also used to send an authentication request to any VPN POP in the plurality of VPN POPs after receiving the authentication exception information.
  • robot information, robot certification center information, and VPN POP information recorded in the blockchain ledger are important data for access authentication. Therefore, in some implementation scenarios, related permission control policies may also be set for the process of adding and modifying the robot and the robot certification center.
  • authority control may be performed based on a permission chain.
  • permission chain it is possible to restrict whether different blockchain accounts have the permission to write and modify certain data.
  • data write permissions and data modification permissions can be configured for blockchain accounts in OSS (Business Support System, business support system) and/or BSS (Operation Support System, operation support system), and for robots, VPN POP,
  • OSS Business Support System, business support system
  • BSS Opera Support System, operation support system
  • robots VPN POP
  • the blockchain account involved in the robot certification center sets data read permissions.
  • the robot and the relevant data of the robot certification center can also be managed based on the formulated smart contract.
  • corresponding smart contracts can be written to store information through smart contracts.
  • the smart contract can provide interfaces such as registration, modification, cancellation, and query. Among them, assign the call authority of registration, modification, cancellation, query and other interfaces to the blockchain account corresponding to OSS/BSS, and set the blockchain account corresponding to the robot, VPN POP, and robot certification center to have the call of the query interface permission.
  • the system may further include a first authentication management terminal.
  • the first authentication management terminal is a blockchain node with robot registration authority, which can correspond to the relevant account of OSS/BSS.
  • the first authentication management terminal is used to, when receiving a robot registration request, write the registration information in the registration request into the blockchain ledger; and write the startup node information of the blockchain network sent to the robot, wherein the registration information includes the robot's blockchain address and identification code;
  • the robot is used for saving the starting node information, and accessing the block chain network based on the starting node information.
  • the robot can generate a public key, a private key, and an identification code, and generate a blockchain address through the public key. In this way, the robot can send a registration request including the blockchain address and the identification code to the first authentication management terminal.
  • the first authentication management terminal After the first authentication management terminal receives the registration request, it can write the robot's blockchain address and identification code into the blockchain ledger by sending a transaction to the blockchain network, thereby Complete the registration.
  • the robot's registration information may also include the robot's type, serial number, public key, and so on.
  • the first authentication management terminal may also verify the relevant information of the robot, which is not limited in the present disclosure.
  • the first authentication management terminal can also send the startup node information of the blockchain network to the robot.
  • the robot can be used to save the starting node information, and access to the blockchain network based on the starting node information.
  • the robot can connect to the blockchain network through the blockchain connection protocol, light node protocol or RPC according to the recorded starting node information.
  • the robot can send an authentication request to any VPN POP in the blockchain network, and then perform authentication.
  • the registration process of the robot can be managed by setting the first authentication management terminal, and at the same time, the writing authority of the robot information can be controlled.
  • the system further includes a second authentication management terminal, the second authentication management terminal is a blockchain node with robot registration authority, which may correspond to the relevant account of OSS/BSS.
  • the second authentication management terminal is used to, when receiving the registration request of the robot, generate the private key, public key, block chain address, identification information and identification code corresponding to the robot;
  • the address and the identification code are written into the blockchain account book as the registration information of the robot; and the startup node information, the identification information and the private key of the blockchain network are sent to the robot;
  • the robot is used to store the private key, the identification information, and the startup node information, access the blockchain network based on the startup node information, and retrieve the information from the blockchain ledger based on the identification information. Obtain the blockchain address and identification code of the robot.
  • the robot's public key, blockchain address, identification information, and identification code are generated by relevant nodes of OSS/BSS and saved on the chain. Every time the robot authenticates, it obtains its own blockchain address and identification code from the chain, and then performs authentication.
  • the authentication process of the robot does not require an account password, and the relevant information (blockchain address, identification code, etc.) involved in the authentication process is not maintained locally by the robot. Therefore, the above technical solution avoids the risk of the robot's account leaking, and also reduces the risk of the robot being counterfeited.
  • the system may further include a third authentication management terminal.
  • the third authentication management terminal is a block chain node with robot logout authority, which can correspond to the relevant account of OSS/BSS.
  • the third authentication management terminal is used to, when receiving a robot logout request, determine the robot to be canceled according to the robot identification in the logout request, and store the robot's ID in the block chain ledger
  • the registration information is updated to an invalid state.
  • the robot logout request may be sent by the relevant robot management terminal or sent by the robot.
  • the robot logout request may also be automatically generated by the third authentication management terminal based on preset rules. For example, when a robot is registered, a corresponding valid time interval can be set for each robot, and a robot logout request is automatically generated after the valid time interval is exceeded.
  • the robot identifier in the robot logout request may be, for example, an identifier that can distinguish robots such as a robot number, which is not limited in the present disclosure.
  • the third authentication management terminal when it receives the robot logout request, it can determine the robot to be logged out according to the robot identifier in the logout request.
  • the third authentication management terminal may also update the registration information of the robot to be canceled in the blockchain ledger to an invalid state by sending a transaction to the blockchain network. Since the registration information is updated to an invalid state, the robot to be deregistered can no longer pass the authentication of the VPN POP.
  • the registered robot can be managed based on the third authentication management terminal, and at the same time, the logout authority of the robot information can be controlled.
  • the system further includes a fourth authentication management terminal, which is a blockchain node with the registration authority of the robot certification center, which can communicate with the relevant account of the OSS/BSS. correspond.
  • a fourth authentication management terminal which is a blockchain node with the registration authority of the robot certification center, which can communicate with the relevant account of the OSS/BSS. correspond.
  • the fourth authentication management terminal is used to write the registration information in the registration request into the block chain ledger when receiving the registration request from the robot authentication center, the registration information including the robot authentication The central blockchain address and public key.
  • the robot certification center can generate a public key and a private key, and generate a blockchain address through the public key. In this way, the robot certification center can send a registration request including the blockchain address and public key to the fourth certification management terminal.
  • the fourth authentication management terminal After the fourth authentication management terminal receives the registration request, it can write the blockchain address and public key of the robot certification center into the blockchain ledger by sending a transaction to the blockchain network , to complete the registration.
  • the registration process of the robot certification center can be managed by setting the fourth certification management terminal, and at the same time, the writing authority of the robot certification center information can be controlled.
  • the system may include a fifth authentication management terminal, the fifth authentication management terminal is a block chain node with VPN POP registration authority, and is used to send the registration request to the VPN POP upon receiving the registration request
  • the registration information in is written into the blockchain account book, and the registration information includes the blockchain address and public key of the VPN POP.
  • first authentication management terminal, the second authentication management terminal, etc. may be independent system components or the same system component during specific implementation.
  • the first authentication management terminal, the second authentication management terminal, etc. may also correspond to relevant blockchain management accounts, and these blockchain management accounts may not correspond to OSS/BSS, which is not limited in this disclosure.
  • the present disclosure also provides a robot authentication method for VPN POP, the VPN POP has the robot authentication authority granted by the robot authentication center, and can obtain the blockchain ledger in the blockchain network, said The blockchain ledger includes the registration information of registered robots.
  • the registration information may include, for example, a blockchain address of the robot and an identification code corresponding to the blockchain address.
  • the identification code may be a PIN code corresponding to each robot, and the identification codes of the robots shall be kept different.
  • the robot can generate a public key, a private key, and an identification code, and generate a blockchain address based on the public key. In this way, the robot can be registered based on the blockchain address and identification code. After successful registration, the robot's blockchain address and identification code are written into the blockchain ledger.
  • the registration information of the robot may also include related information of the robot, such as robot type, public key, robot ID, etc., which is not limited in the present disclosure.
  • Fig. 4 is a flow chart of a robot authentication method shown in the present disclosure, the method comprising:
  • S41 Receive an authentication request from the target robot, where the authentication request includes first verification information and verification parameters;
  • the first verification information is calculated by the target robot based on the verification parameters and the target identification code.
  • the verification parameters may include: a target blockchain address, a timestamp, and a random number generated by the target robot.
  • the target robot calculates the first verification information by using the target identification code as a key and the verification parameter as calculated data through HMAC-SHA256 algorithm.
  • the target robot can obtain its own target blockchain address robot-did, identification code pin-code, and local timestamp timestamp (for example, it can be relative to the timestamp of January 1, 1970 at 0:00:00) , the length is 8 bytes, the unit is millisecond, GMT+00:00), and a random number random (such as 32 bytes) is generated.
  • the target robot can calculate the HMAC result mac1 (32 bytes) based on the HMAC-SHA256 algorithm, using the pin-code as the HMAC key and random
  • means splicing.
  • the target robot can send an authentication request to the VPN POP, and the authentication request includes the first verification information mac1, the target blockchain address robot-did, random number random and timestamp.
  • the robot can also splice mac1, random, timestamp, and robot-id to obtain OTP (One Time Password, one-time password).
  • OTP One Time Password, one-time password.
  • the authentication request includes the OTP.
  • the VPN POP After receiving the authentication request from the target robot, the VPN POP can analyze and obtain the target blockchain address robot-did, random number random and timestamp. And the target identification code of the target robot is obtained from the blockchain ledger based on the target blockchain address. In this way, VPN POP can also be based on the HMAC-SHA256 algorithm, use the obtained pin-code as the HMAC key, use random
  • the VPN POP can authenticate the target robot. For example, if the first verification information is the same as the second verification information, the target robot is authenticated by the VPN POP. If the first verification information is different from the second verification information, the authentication fails.
  • the above embodiments illustrate the robot authentication process of the present disclosure by taking verification parameters as an example of a target blockchain address, a timestamp, and a random number generated by the target robot.
  • the above parameters may also be adjusted accordingly (for example, adding relevant robot information).
  • the one-way hash function used in HMAC may not be limited to the above example, and a related high-strength one-way hash function (such as SHA-1) may also be used in HMAC, which is not limited in the present disclosure.
  • the above technical solution sets multiple VPN POPs in the blockchain network, and each of the VPN POPs has the robot authentication authority granted by the robot authentication center. In this way, any of the VPN POPs can perform network authentication on registered robots, thereby avoiding the performance bottleneck problem faced by a single robot authentication center when performing robot authentication and the security risks caused by centralization.
  • the robot certification center since the registration information of the robot is stored in the blockchain ledger and can be maintained and managed by the blockchain system, the robot certification center no longer needs to maintain the registration information of the robot. In this way, the complexity of the robot certification center can be reduced, and it can also help to improve the reliability of the robot certification center.
  • the VPN POP obtains the robot authentication authority in the following manner:
  • the blockchain network includes a robot certification center, and the robot certification center can obtain the blockchain ledger in the blockchain network, and the blockchain ledger Include the registration information of the registered VPN POP, the network authentication request includes the registration verification information of the VPN POP, the registration verification information is used by the robot authentication center to determine whether the VPN POP is registered, and When the POP is registered, initiate a two-way authentication process with the VPN POP;
  • the VPN POP obtains the authentication authority of the robot.
  • the VPN POP may send a network authentication request to the robot authentication center, and the network authentication request may include, for example, the second blockchain address of the VPN POP and the second random number A.
  • the robot certification center can query the second blockchain address in the blockchain ledger.
  • the robot authentication center does not query the address of the second block chain, it can be determined that the VPN POP is not registered, so that the authentication process can be terminated.
  • the robot authentication center inquires the address of the second blockchain, it can be determined that the VPN POP has been registered, and then a two-way authentication process can be initiated.
  • the robot certification center can send the first random number B and the first blockchain address of the robot certification center to the VPN POP.
  • VPN POP can receive the first random number B and the first blockchain address, and sign the first random number B based on the private key of VPN POP, get the signature result SIGN(A), and send SIGN(A) to the The robot certification center mentioned above.
  • the robot certification center can obtain the public key PK(A) of the VPN POP by querying the blockchain ledger based on the second blockchain address, and decrypt and verify the SIGN(A) through the public key PK(A).
  • the decryption fails and/or the decryption result is not the first random number B
  • the authentication fails and the authentication process is terminated.
  • the robot certification center can sign the second random number A based on its own private key to obtain SIGN (B), and send SIGN (B) to the VPN POP, so that the VPN POP can authenticate the robot Center for certification.
  • VPN POP can obtain the public key PK(B) of the robot certification center by querying the blockchain ledger based on the first blockchain address, and perform SIGN(B) verification through the public key PK(B). Decryption verification.
  • the decryption is successful and the decryption result is the second random number A, the authentication is successful.
  • the decryption fails and/or the decryption result is not the second random number A the authentication fails.
  • the present disclosure also provides a robot authentication method for a target robot, and the target robot may be the robot described in the foregoing embodiments.
  • the methods include:
  • any of the VPN POPs has the robot certification authority granted by the robot certification center, and can obtain the blockchain ledger in the blockchain network, the blockchain ledger includes the registration information of the registered robot, and the The registration information includes the blockchain address of the robot and the identification code corresponding to the blockchain address; the VPN POP obtains the blockchain account book based on the target blockchain address in the verification parameter.
  • the target identification code of the target robot and calculate the second verification information according to the verification parameters and the target identification code.
  • the target robot passes Authentication of the VPN POP.
  • the above technical solution sets multiple VPN POPs in the blockchain network, and each of the VPN POPs has the robot authentication authority granted by the robot authentication center.
  • any of the VPN POPs can perform network authentication on registered robots, thereby avoiding performance bottlenecks and security risks faced by a single robot authentication center when performing robot authentication.
  • the target robot can also authenticate through other VPN POPs.
  • the robot certification center no longer needs to maintain the registration information of the robot. Adopting such a method can reduce the complexity of the robot certification center, and also help to improve the reliability of the robot certification center.
  • the present disclosure also provides a computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processor, the steps of the robot authentication method applied to VPN POP provided by the present disclosure are implemented.
  • a computer program product comprising a computer program executable by a programmable device, the computer program having a function for performing the above-mentioned The part of the code that applies to the bot authentication method of VPN POP.
  • the present disclosure also provides a computing processing device, including:
  • One or more processors when the computer-readable code is executed by the one or more processors, the computing processing device executes the steps of the robot authentication method applied to VPN POP provided by the present disclosure.
  • FIG. 6 is a schematic structural diagram of a computing processing device provided by the present disclosure.
  • the computing processing device may include a processor 610 and a computer program product or computer readable medium in the form of memory 630 .
  • Memory 630 may be electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk, or ROM.
  • the memory 630 may include a storage space 650, which may include program codes for performing any method steps in the methods described above.
  • the storage space 650 may include various program codes 651 for respectively implementing various steps in the above robot authentication method applied to VPN POP. These program codes can be read from or written into one or more computer program products.
  • These computer program products comprise program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such a computer program product is typically a portable or fixed storage unit as shown in FIG. 7 .
  • the storage unit may have storage segments, storage spaces, etc. arranged similarly to the memory 630 in the computing processing device of FIG. 6 .
  • the program code can, for example, be compressed in a suitable form.
  • the memory unit may include computer readable code 651', i.e. code readable by a processor such as 610, which when executed by the server, causes the server to execute the robot described above for VPN POP The individual steps in the authentication method.
  • the present disclosure also provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the steps of the robot authentication method applied to a robot provided in the present disclosure are implemented.
  • a computer program product comprising a computer program executable by a programmable device, the computer program having a function for performing the above-mentioned The code section of the bot authentication method applied to the bot.
  • the present disclosure also provides a computing processing device, including:
  • One or more processors when the computer readable code is executed by the one or more processors, the computing processing device executes the steps of the robot authentication method applied to robots provided by the present disclosure.
  • FIG. 8 is a schematic structural diagram of a computing processing device provided by the present disclosure.
  • the computing processing device may include a processor 810 and a computer program product or computer readable medium in the form of memory 830 .
  • Memory 830 may be electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk, or ROM.
  • the memory 830 may include a storage space 850, and the storage space 850 may include program codes for performing any method steps in the methods described above.
  • the storage space 850 may include various program codes 851 for respectively implementing various steps in the above robot authentication method applied to a robot. These program codes can be read from or written into one or more computer program products.
  • These computer program products comprise program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such a computer program product is typically a portable or fixed storage unit as shown in FIG. 9 .
  • the storage unit may have storage segments, storage spaces, etc. arranged similarly to the memory 830 in the computing processing device of FIG. 8 .
  • the program code can, for example, be compressed in a suitable form.
  • the storage unit may include computer readable code 851', i.e. code readable by a processor such as 810, which when executed by the server causes the server to perform the robot authentication described above for the robot. steps in the method.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The present disclosure relates to a robot authentication system and method. The system comprises a plurality of virtual private network points of presence (VPN POP), wherein each VPN POP has a robot authentication permission granted by a robot authentication center, and can acquire a blockchain ledger from a blockchain network, the blockchain ledger comprising registration information of registered robots; any VPN POP is used for receiving an authentication request of a target robot, which authentication request comprises first verification information and a verification parameter, and the VPN POP is also used for acquiring, from the blockchain ledger, a target identification code of the target robot according to a target blockchain address in the verification parameter, and for performing calculation according to the verification parameter and the target identification code to obtain second verification information, with the target blockchain address being a blockchain address of the target robot, and the first verification information being obtained by means of the target robot performing calculation on the basis of the verification parameter and the target identification code; and when the first verification information is identical to the second verification information, the target robot passes the authentication of the VPN POP.

Description

机器人认证系统及方法System and method for robot authentication
相关申请的交叉引用Cross References to Related Applications
本公开要求在2021年06月29日提交中国专利局、申请号为202110729418.6、名称为“机器人认证系统及方法”的中国专利申请的优先权,其全部内容通过引用结合在本公开中。This disclosure claims the priority of a Chinese patent application with application number 202110729418.6 and titled "Robot Authentication System and Method" filed with the China Patent Office on June 29, 2021, the entire contents of which are incorporated by reference in this disclosure.
技术领域technical field
本公开涉及机器人技术领域,具体地,涉及一种机器人认证系统及方法。The present disclosure relates to the technical field of robots, and in particular, to a robot authentication system and method.
背景技术Background technique
当前,机器人已经越来越广泛地应用于各行各业。并且,随着人工智能技术的发展,机器人的能力也越来越强,进而导致机器人被非法入侵时所带来的破坏性也逐渐变强。At present, robots have been more and more widely used in various industries. Moreover, with the development of artificial intelligence technology, the capabilities of robots are becoming stronger and stronger, which in turn leads to the gradual strengthening of the destructiveness brought about by robots when they are illegally invaded.
为了提升安全性,机器人的管理与控制需在机器人通过认证后才能进行。例如在相关技术中,可以在机器人中预置机器人账号和密码,这样,机器人可以通过所述机器人账号和密码到机器人认证中心进行认证。然而,这样的方式仍面临着安全风险,同时也增大了机器人认证中心的负担。In order to improve safety, the management and control of the robot can only be carried out after the robot has passed the certification. For example, in related technologies, a robot account and password can be preset in the robot, so that the robot can go to the robot authentication center for authentication through the robot account and password. However, this method still faces security risks, and also increases the burden on the robot certification center.
发明内容Contents of the invention
本公开的目的是提供一种机器人认证系统及方法,以解决上述相关技术问题。The purpose of the present disclosure is to provide a robot authentication system and method to solve the above related technical problems.
为了实现上述目的,根据本公开实施例的第一方面,提供一种机器人认证系统,包括多个虚拟专用网络服务接入点VPN POP(Virtual Private Network Point Of Presence,虚拟专用网络服务接入点),每个所述VPN POP具备机器人认证中心授予的机器人认证权限,且能够获取区块链网络中的区块链账本,所述区块链账本中包括已注册的机器人的注册信息,所述注册信息包括所述机器人的区块链地址以及与所述区块链地址相对应的识别码;In order to achieve the above object, according to the first aspect of the embodiments of the present disclosure, a robot authentication system is provided, including a plurality of virtual private network service access points VPN POP (Virtual Private Network Point Of Presence, virtual private network service access point) , each VPN POP has the robot authentication authority granted by the robot authentication center, and can obtain the blockchain ledger in the blockchain network, the blockchain ledger includes the registration information of the registered robot, and the registered The information includes a blockchain address of the robot and an identification code corresponding to the blockchain address;
任一所述VPN POP用于,接收目标机器人的认证请求,所述认证请求包括第一验证信息以及验证参数,根据所述验证参数中的目标区块链地址从区块链账本中获取所述目标机器人的目标识别码,并根据所述验证参数以及所述目标识别码计算得到第二验证信息;Any one of the VPN POPs is used to receive the authentication request of the target robot, the authentication request includes first verification information and verification parameters, and the target block chain address in the verification parameters is obtained from the block chain ledger. the target identification code of the target robot, and calculate the second verification information according to the verification parameters and the target identification code;
其中,所述目标区块链地址为所述目标机器人的区块链地址,所述第一验证信息由所述目标机器人基于所述验证参数以及目标识别码计算得到,在所述第一验证信息与所述第二验证信息相同的情况下,所述目标机器人通过所述VPN POP的认证。Wherein, the target blockchain address is the blockchain address of the target robot, the first verification information is calculated by the target robot based on the verification parameters and the target identification code, and in the first verification information In the case of the same as the second verification information, the target robot passes the authentication of the VPN POP.
可选地,所述验证参数包括:所述目标机器人的区块链地址、时间戳以及所述目标机器人生成的随机数;Optionally, the verification parameters include: the target robot's blockchain address, a timestamp, and a random number generated by the target robot;
所述目标机器人用于,将所述目标识别码作为密钥,将所述验证参数作为被计算数据,通过HMAC-SHA256算法计算得到所述第一验证信息。The target robot is configured to use the target identification code as a key and the verification parameter as calculated data to obtain the first verification information through HMAC-SHA256 algorithm calculation.
可选地,所述VPN POP还用于:Optionally, the VPN POP is also used for:
在所述目标机器人通过所述机器人认证中心的认证的情况下,向所述目标机器人以及机器人认证中心发送访问令牌,以使得所述机器人认证中心向所述目标机器人所对应的交互端发送访问令牌;When the target robot is authenticated by the robot authentication center, send an access token to the target robot and the robot authentication center, so that the robot authentication center sends an access token to the interactive terminal corresponding to the target robot token;
其中,所述访问令牌用于所述交互端对所述目标机器人的交互请求进行验证。Wherein, the access token is used for the interaction terminal to verify the interaction request of the target robot.
可选地,所述区块链账本中还包括已注册的VPN POP的注册信息,所述注册信息包括所述VPN POP的区块链地址以及所述VPN POP的公钥,所述机器人认证系统还包括:Optionally, the blockchain account book also includes the registration information of the registered VPN POP, the registration information includes the blockchain address of the VPN POP and the public key of the VPN POP, and the robot authentication system Also includes:
机器人认证中心,所述机器人认证中心能够获取区块链网络中的区块链账本,所述机器人认证中心用于,在接收到目标VPN POP的鉴权请求时,基于所述区块链账本中的注册信息,确定所述目标VPN POP是否已注册,并在所述目标VPN POP已注册的情况下,与所述目标VPN POP进行双向认证;其中,在双向认证成功的情况下,所述目标VPN POP具备机器人认证权限;A robot certification center, the robot certification center can obtain the block chain account book in the block chain network, and the robot certification center is used to, when receiving the authentication request of the target VPN POP, based on the block chain account book registration information, determine whether the target VPN POP has been registered, and in the case of the target VPN POP registered, carry out two-way authentication with the target VPN POP; wherein, in the case of two-way authentication success, the target VPN POP has robot authentication authority;
所述目标VPN POP还用于,在接收到目标机器人的认证请求时,若确定该目标VPNPOP未与所述机器人认证中心双向认证成功,则向所述目标机器人发送认证异常信息;The target VPN POP is also used for, when receiving the authentication request of the target robot, if it is determined that the target VPN POP has not succeeded in two-way authentication with the robot authentication center, then sending authentication exception information to the target robot;
所述目标机器人还用于,在接收到所述认证异常信息后,向所述多个VPN POP中的任一VPN POP发送认证请求。The target robot is further configured to, after receiving the authentication exception information, send an authentication request to any VPN POP among the multiple VPN POPs.
可选地,还包括:Optionally, also include:
第一认证管理端,所述第一认证管理端为具备机器人注册权限的区块链节点,用于在接收到机器人注册请求时,将所述注册请求中的注册信息写入至所述区块链账本中;并将所述区块链网络的启动节点信息发送至所述机器人,其中,所述注册信息包括所述机器人的区块链地址以及识别码;The first authentication management terminal, the first authentication management terminal is a block chain node with robot registration authority, and is used to write the registration information in the registration request into the block when receiving the robot registration request chain ledger; and send the startup node information of the block chain network to the robot, wherein the registration information includes the block chain address and identification code of the robot;
所述机器人用于,保存所述启动节点信息,并基于所述启动节点信息接入至所述区 块链网络。The robot is used for storing the starting node information, and accessing the block chain network based on the starting node information.
可选地,还包括:Optionally, also include:
第二认证管理端,所述第二认证管理端为具备机器人注册权限的区块链节点,用于在接收到机器人的注册请求时,生成对应于所述机器人的私钥、公钥、区块链地址、标识信息以及识别码;将所述公钥、区块链地址以及识别码作为所述机器人的注册信息写入至区块链账本中;并向所述机器人发送所述区块链网络的启动节点信息、所述标识信息以及所述私钥;The second authentication management terminal, the second authentication management terminal is a block chain node with robot registration authority, and is used to generate a private key, a public key, and a block corresponding to the robot when receiving a registration request from the robot. chain address, identification information and identification code; write the public key, blockchain address and identification code into the blockchain ledger as the registration information of the robot; and send the blockchain network to the robot The startup node information, the identification information and the private key;
所述机器人用于,保存所述私钥、所述标识信息以及所述启动节点信息,基于所述启动节点信息接入至所述区块链网络,并基于所述标识信息从区块链账本中获取所述机器人的区块链地址以及识别码。The robot is used to store the private key, the identification information, and the startup node information, access the blockchain network based on the startup node information, and retrieve the information from the blockchain ledger based on the identification information. Obtain the blockchain address and identification code of the robot.
可选地,还包括:Optionally, also include:
第三认证管理端,所述第三认证管理端为具备机器人注销权限的区块链节点,用于在接收到机器人注销请求时,根据所述注销请求中的机器人标识确定待注销的机器人,并将所述区块链账本中的所述待注销的机器人的注册信息更新为注销状态。The third authentication management terminal, the third authentication management terminal is a block chain node with robot cancellation authority, used to determine the robot to be canceled according to the robot identification in the cancellation request when receiving the robot cancellation request, and Updating the registration information of the robot to be canceled in the blockchain account book to the cancellation status.
可选地,还包括:Optionally, also include:
第四认证管理端,所述第四认证管理端为具备机器人认证中心注册权限的区块链节点,用于在接收到机器人认证中心的注册请求时,将所述注册请求中的注册信息写入至所述区块链账本中,所述注册信息包括所述机器人认证中心的区块链地址和公钥;和/或,The fourth authentication management terminal, the fourth authentication management terminal is a block chain node with the registration authority of the robot certification center, and is used to write the registration information in the registration request when receiving the registration request from the robot certification center Into the blockchain account book, the registration information includes the blockchain address and public key of the robot certification center; and/or,
第五认证管理端,所述第五认证管理端为具备VPN POP注册权限的区块链节点,用于在接收到VPN POP的注册请求时,将所述注册请求中的注册信息写入至所述区块链账本中,所述注册信息包括所述VPN POP的区块链地址和公钥。The fifth authentication management terminal, the fifth authentication management terminal is a block chain node with VPN POP registration authority, and is used to write the registration information in the registration request to the In the blockchain ledger, the registration information includes the blockchain address and public key of the VPN POP.
根据本公开实施例的第二方面,提供一种机器人认证方法,用于VPN POP,所述VPN POP具备机器人认证中心授予的机器人认证权限,且能够获取区块链网络中的区块链账本,所述区块链账本中包括已注册的机器人的注册信息,所述注册信息包括所述机器人的区块链地址以及与所述区块链地址相对应的识别码,所述方法包括:According to the second aspect of the embodiments of the present disclosure, a robot authentication method is provided for a VPN POP, the VPN POP has the robot authentication authority granted by the robot authentication center, and can obtain the blockchain ledger in the blockchain network, The blockchain account book includes the registration information of the registered robot, the registration information includes the blockchain address of the robot and the identification code corresponding to the blockchain address, and the method includes:
接收目标机器人的认证请求,所述认证请求包括第一验证信息以及验证参数;receiving an authentication request from a target robot, where the authentication request includes first verification information and verification parameters;
根据所述验证参数中的目标区块链地址从区块链账本中获取所述目标机器人的目标识别码,所述目标区块链地址为所述目标机器人的区块链地址;Obtain the target identification code of the target robot from the blockchain account book according to the target blockchain address in the verification parameter, and the target blockchain address is the blockchain address of the target robot;
根据所述验证参数以及所述目标识别码计算得到第二验证信息;calculating and obtaining second verification information according to the verification parameter and the target identification code;
在所述第一验证信息与所述第二验证信息相同的情况下,确定所述目标机器人通过认证;If the first verification information is the same as the second verification information, determine that the target robot is authenticated;
其中,所述第一验证信息由所述目标机器人基于所述验证参数以及目标识别码计算得到。Wherein, the first verification information is calculated by the target robot based on the verification parameters and the target identification code.
可选地,所述验证参数包括所述目标机器人的区块链地址、时间戳以及所述目标机器人生成的随机数,所述根据所述验证参数以及所述目标识别码计算得到第二验证信息,包括:Optionally, the verification parameters include the target robot's blockchain address, a time stamp, and a random number generated by the target robot, and the second verification information is calculated according to the verification parameters and the target identification code. ,include:
将所述目标识别码作为密钥,将所述验证参数作为被计算数据,通过HMAC-SHA256算法计算得到所述第二验证信息。The target identification code is used as a key, and the verification parameter is used as calculated data to obtain the second verification information through HMAC-SHA256 algorithm calculation.
可选地,所述VPN POP通过如下方式获得所述机器人认证权限:Optionally, the VPN POP obtains the robot authentication authority in the following manner:
向机器人认证中心发送身份认证请求;其中,所述区块链网络中包括机器人认证中心,所述机器人认证中心能够获取所述区块链网络中的区块链账本,所述区块链账本中包括已注册VPN POP的注册信息,所述网络认证请求包括所述VPN POP的注册验证信息,所述注册验证信息用于所述机器人认证中心确定所述VPN POP是否已注册,并在所述VPN POP已注册的情况下,发起与所述VPN POP之间的双向认证流程;Send an identity authentication request to the robot certification center; wherein, the blockchain network includes a robot certification center, and the robot certification center can obtain the blockchain ledger in the blockchain network, and the blockchain ledger Include the registration information of the registered VPN POP, the network authentication request includes the registration verification information of the VPN POP, the registration verification information is used by the robot authentication center to determine whether the VPN POP is registered, and When the POP is registered, initiate a two-way authentication process with the VPN POP;
在所述机器人认证中心发起双向认证流程的情况下,与所述机器人认证中心进行双向认证;When the robot authentication center initiates a two-way authentication process, perform two-way authentication with the robot authentication center;
其中,在所述VPN POP与所述机器人认证中心双向认证成功的情况下,所述VPN POP获得所述机器人认证权限。Wherein, in the case that the two-way authentication between the VPN POP and the robot authentication center succeeds, the VPN POP obtains the authentication authority of the robot.
根据本公开实施例的第三方面,提供一种机器人认证方法,用于目标机器人,所述方法包括:According to a third aspect of an embodiment of the present disclosure, there is provided a robot authentication method for a target robot, the method comprising:
获取验证参数以及所述目标机器人的目标识别码,所述验证参数包括所述目标机器人的区块链地址;Acquiring verification parameters and the target identification code of the target robot, the verification parameters including the block chain address of the target robot;
根据所述验证参数以及所述目标识别码计算得到第一验证信息;calculating and obtaining first verification information according to the verification parameter and the target identification code;
向区块链网络中的任一VPN POP发送包括所述第一验证信息以及所述验证参数的认证请求;Send an authentication request including the first authentication information and the authentication parameters to any VPN POP in the block chain network;
其中,任一所述VPN POP具备机器人认证中心授予的机器人认证权限,且能够获取区块链网络中的区块链账本,所述区块链账本中包括已注册的机器人的注册信息,所述注册信息包括所述机器人的区块链地址以及与所述区块链地址相对应的识别码;所述 VPN POP基于所述验证参数中的目标区块链地址从区块链账本中获取所述目标机器人的目标识别码,并根据所述验证参数以及所述目标识别码计算得到第二验证信息,在所述第一验证信息与所述第二验证信息相同的情况下,所述目标机器人通过所述VPN POP的认证。Wherein, any of the VPN POPs has the robot certification authority granted by the robot certification center, and can obtain the blockchain ledger in the blockchain network, the blockchain ledger includes the registration information of the registered robot, and the The registration information includes the blockchain address of the robot and the identification code corresponding to the blockchain address; the VPN POP obtains the blockchain account book based on the target blockchain address in the verification parameter. The target identification code of the target robot, and calculate the second verification information according to the verification parameters and the target identification code. In the case that the first verification information is the same as the second verification information, the target robot passes Authentication of the VPN POP.
根据本公开实施例的第四方面,提供一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算处理设备上运行时,使得所述计算处理设备执行上述第二方面中任一项所述的方法。According to a fourth aspect of the embodiments of the present disclosure, there is provided a computer program, including computer readable code, when the computer readable code is run on a computing processing device, the computing processing device is made to perform any of the above-mentioned second aspects. one of the methods described.
根据本公开实施例的第五方面,提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现上述第二方面中任一项所述方法的步骤。According to a fifth aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processor, the steps of any one of the methods described in the above-mentioned second aspect are implemented.
根据本公开实施例的第六方面,提供一种计算处理设备,包括:According to a sixth aspect of the embodiments of the present disclosure, there is provided a computing processing device, including:
存储器,其上存储有计算机程序;a memory on which a computer program is stored;
处理器,用于执行所述存储器中的所述计算机程序,以实现上述第二方面中任一项所述方法的步骤。A processor, configured to execute the computer program in the memory, so as to implement the steps of any one of the methods in the second aspect above.
根据本公开实施例的第七方面,提供一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算处理设备上运行时,使得所述计算处理设备执行上述第三方面中所述的方法。According to a seventh aspect of the embodiments of the present disclosure, there is provided a computer program, including computer readable code, which, when the computer readable code is run on a computing processing device, causes the computing processing device to execute the program described in the third aspect above. described method.
根据本公开实施例的第八方面,提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现上述第三方面中所述方法的步骤。According to an eighth aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processor, the steps of the method described in the above-mentioned third aspect are implemented.
根据本公开实施例的第九方面,提供一种计算处理设备,包括:According to a ninth aspect of the embodiments of the present disclosure, there is provided a computing processing device, including:
存储器,其上存储有计算机程序;a memory on which a computer program is stored;
处理器,用于执行所述存储器中的所述计算机程序,以实现上述第三方面中所述方法的步骤。A processor, configured to execute the computer program in the memory, so as to implement the steps of the method in the above third aspect.
上述技术方案在区块链网络中设置了多个VPN POP,每个所述VPN POP具备机器人认证中心授予的机器人认证权限。这样,任一所述VPN POP都可以对已注册的机器人进行网络认证,从而避免了单一的机器人认证中心在进行机器人认证时所面临的性能瓶颈问题以及安全风险。The above technical solution sets multiple VPN POPs in the blockchain network, and each of the VPN POPs has the robot authentication authority granted by the robot authentication center. In this way, any of the VPN POPs can perform network authentication on registered robots, thereby avoiding performance bottlenecks and security risks faced by a single robot authentication center when performing robot authentication.
并且,由于机器人的注册信息存储在区块链账本中,可以由区块链系统进行维护和管理,因此机器人认证中心无需再维护机器人的注册信息。采用这样的方式,能够降低机器人认证中心的复杂程度,也有助于提升机器人认证中心的可靠性。Moreover, since the registration information of the robot is stored in the blockchain ledger and can be maintained and managed by the blockchain system, the robot certification center no longer needs to maintain the registration information of the robot. Adopting such a method can reduce the complexity of the robot certification center, and also help to improve the reliability of the robot certification center.
本公开的其他特征和优点将在随后的具体实施方式部分予以详细说明。Other features and advantages of the present disclosure will be described in detail in the detailed description that follows.
附图说明Description of drawings
附图是用来提供对本公开的进一步理解,并且构成说明书的一部分,与下面的具体实施方式一起用于解释本公开,但并不构成对本公开的限制。在附图中:The accompanying drawings are used to provide a further understanding of the present disclosure, and constitute a part of the description, together with the following specific embodiments, are used to explain the present disclosure, but do not constitute a limitation to the present disclosure. In the attached picture:
图1是本公开一示例性实施例所示出的一种机器人认证的场景示意图。Fig. 1 is a schematic diagram of a scenario of robot authentication shown in an exemplary embodiment of the present disclosure.
图2是本公开一示例性实施例所示出的一种机器人认证系统的示意图。Fig. 2 is a schematic diagram of a robot authentication system shown in an exemplary embodiment of the present disclosure.
图3是本公开一示例性实施例所示出的一种机器人认证系统的示意图。Fig. 3 is a schematic diagram of a robot authentication system shown in an exemplary embodiment of the present disclosure.
图4是本公开一示例性实施例所示出的一种机器人认证方法的流程图。Fig. 4 is a flow chart of a robot authentication method shown in an exemplary embodiment of the present disclosure.
图5是本公开一示例性实施例所示出的一种机器人认证方法的流程图。Fig. 5 is a flowchart of a robot authentication method shown in an exemplary embodiment of the present disclosure.
图6是本公开一示例性实施例所示出的一种计算处理设备的结构示意图。Fig. 6 is a schematic structural diagram of a computing processing device shown in an exemplary embodiment of the present disclosure.
图7是本公开一示例性实施例所示出的一种用于实现本公开的方法的程序代码的存储单元的示意图。Fig. 7 is a schematic diagram of a program code storage unit for implementing the method of the present disclosure shown in an exemplary embodiment of the present disclosure.
图8是本公开一示例性实施例所示出的一种计算处理设备的结构示意图。Fig. 8 is a schematic structural diagram of a computing processing device shown in an exemplary embodiment of the present disclosure.
图9是本公开一示例性实施例所示出的一种用于实现本公开的方法的程序代码的存储单元的示意图。Fig. 9 is a schematic diagram of a program code storage unit for implementing the method of the present disclosure shown in an exemplary embodiment of the present disclosure.
具体实施方式detailed description
以下结合附图对本公开的具体实施方式进行详细说明。应当理解的是,此处所描述的具体实施方式仅用于说明和解释本公开,并不用于限制本公开。Specific embodiments of the present disclosure will be described in detail below in conjunction with the accompanying drawings. It should be understood that the specific embodiments described here are only used to illustrate and explain the present disclosure, and are not intended to limit the present disclosure.
在介绍本公开的机器人认证系统及方法之前,首先对本公开的应用场景进行介绍,本公开所提供的各实施例例如可以用于机器人的认证场景。Before introducing the robot authentication system and method of the present disclosure, the application scenarios of the present disclosure are firstly introduced, and the various embodiments provided in the present disclosure can be used in robot authentication scenarios, for example.
为了提升机器人的安全性,机器人的管理与控制必须在机器人通过认证后才能进行。相关技术中,可以在机器人中预置机器人账号和密码,这样,机器人可以通过所述机器人账号和密码到机器人认证中心进行认证。In order to improve the safety of the robot, the management and control of the robot must be carried out after the robot has passed the certification. In related technologies, a robot account and password can be preset in the robot, so that the robot can go to the robot authentication center for authentication through the robot account and password.
在一些实施场景中,也可以在机器人中预置对称密钥(每个机器人中的对称密钥不同),并在机器人认证中心中保存其管理范围内的机器人的预置对称密钥。这样,可以采用类似于移动网络接入认证的方式对机器人进行认证。In some implementation scenarios, it is also possible to preset a symmetric key in the robot (the symmetric key is different in each robot), and save the preset symmetric key of the robots within its management scope in the robot certification center. In this way, bots can be authenticated in a manner similar to authentication for mobile network access.
然而,采用这样的方式,机器人需要本地保存机器人账号信息或者对称密钥,存在 泄密风险。为了提高安全性,需定期更改账号信息。并且,机器人认证中心是中心化的组件,其管理、存储和维护所有机器人的账号及密码信息,一旦机器人认证中心失控,机器人就可能被假冒。同时,当机器人认证中心因为相关原因(自然灾害、停电等)停止服务时,也可能出现机器人无法认证的现象,进而影响业务可用性。此外,由于所有的机器人认证都在机器人认证中心进行,导致机器人认证中心的复杂度较高。并且,在机器人数量较多的情况下,机器人认证中心还可能出现性能瓶颈。However, in this way, the robot needs to save the robot account information or symmetric key locally, and there is a risk of leakage. To improve security, account information needs to be changed periodically. Moreover, the robot certification center is a centralized component that manages, stores and maintains the account and password information of all robots. Once the robot certification center is out of control, the robot may be counterfeited. At the same time, when the robot certification center stops its service due to related reasons (natural disasters, power outages, etc.), it may also happen that the robot cannot be certified, which will affect business availability. In addition, since all robot certifications are performed in the robot certification center, the complexity of the robot certification center is relatively high. Moreover, in the case of a large number of robots, the robot certification center may also have a performance bottleneck.
为此,本公开提供一种机器人认证系统,所述系统包括多个虚拟专用网络服务接入点VPN POP,每个所述VPN POP具备机器人认证中心授予的机器人认证权限。其中,机器人认证中心例如可以设置为区块链网络中的节点。参照图1所示出的一种机器人认证的场景示意图,VPN POP的数量可以为3个,每一所述VPN POP可以作为区块链网络中的节点,从而与区块链网络中的其他区块链节点(图中以区块链节点1示意)进行交互。To this end, the present disclosure provides a robot authentication system, the system includes a plurality of virtual private network service access points VPN POP, each VPN POP has the robot authentication authority granted by the robot authentication center. Among them, the robot certification center can be set as a node in the blockchain network, for example. Referring to the schematic diagram of a robot authentication scenario shown in Figure 1, the number of VPN POPs can be 3, and each of the VPN POPs can be used as a node in the blockchain network to communicate with other areas in the blockchain network. Block chain nodes (shown as block chain node 1 in the figure) interact.
通过这样的设置,VPN POP能够获取区块链网络中的区块链账本,所述区块链账本中包括已注册的机器人的注册信息。这里,注册信息例如可以包括机器人的区块链地址以及与所述区块链地址相对应的识别码。所述识别码可以是每一机器人所对应的PIN(Personal Identification Number,个人识别密码)码,并保持各机器人之间的识别码不同。Through such a setting, the VPN POP can obtain the blockchain ledger in the blockchain network, and the blockchain ledger includes the registration information of the registered robot. Here, the registration information may include, for example, a blockchain address of the robot and an identification code corresponding to the blockchain address. The identification code can be the corresponding PIN (Personal Identification Number, personal identification code) code of each robot, and keep the identification codes between the robots different.
示例地,机器人可以产生公钥、私钥以及识别码,并基于公钥生成区块链地址。这样,所述机器人可以基于所述区块链地址以及识别码进行注册。在注册成功之后,所述机器人的区块链地址以及识别码被写入至区块链账本中。For example, the robot can generate a public key, a private key, and an identification code, and generate a blockchain address based on the public key. In this way, the robot can be registered based on the blockchain address and identification code. After successful registration, the robot's blockchain address and identification code are written into the blockchain ledger.
在一些实施场景中,机器人的注册信息还可以包括机器人的相关信息,如机器人类型、公钥、机器人ID(Identity document,身份标识)等等,本公开对此不做限制。In some implementation scenarios, the robot's registration information may also include robot-related information, such as robot type, public key, robot ID (Identity document, identity mark), etc., which is not limited in the present disclosure.
参照图1,任一所述VPN POP用于,接收目标机器人的认证请求,所述认证请求包括第一验证信息以及验证参数,根据所述验证参数中的目标区块链地址从区块链账本中获取所述目标机器人的目标识别码,并根据所述验证参数以及所述目标识别码计算得到第二验证信息;Referring to Fig. 1, any one of the VPN POPs is used to receive the authentication request of the target robot, the authentication request includes the first verification information and verification parameters, according to the target blockchain address in the verification parameters from the blockchain account book Obtain the target identification code of the target robot, and calculate the second verification information according to the verification parameters and the target identification code;
其中,所述目标区块链地址为所述目标机器人的区块链地址,所述第一验证信息由所述目标机器人基于所述验证参数以及目标识别码计算得到。例如在一些实施场景中,所述验证参数可以包括:目标区块链地址、时间戳以及所述目标机器人生成的随机数;Wherein, the target blockchain address is the blockchain address of the target robot, and the first verification information is calculated by the target robot based on the verification parameters and the target identification code. For example, in some implementation scenarios, the verification parameters may include: a target blockchain address, a timestamp, and a random number generated by the target robot;
所述目标机器人用于,将所述目标识别码作为密钥,将所述验证参数作为被计算数 据,通过HMAC-SHA256算法计算得到所述第一验证信息。The target robot is used to use the target identification code as a key and the verification parameter as calculated data to obtain the first verification information through HMAC-SHA256 algorithm calculation.
具体来讲,目标机器人可以获取自身的目标区块链地址robot-did、识别码pin-code以及本机时间戳timestamp(例如可以相对于1970年1月1日0时0分0秒的时间戳,长度8字节,单位毫秒,GMT+00:00时间),并产生随机数random(如32字节)。Specifically, the target robot can obtain its own target blockchain address robot-did, identification code pin-code, and local timestamp timestamp (for example, it can be relative to the timestamp of January 1, 1970 at 0:00:00) , the length is 8 bytes, the unit is millisecond, GMT+00:00), and a random number random (such as 32 bytes) is generated.
在获得上述信息之后,目标机器人可以基于HMAC-SHA256算法,以pin-code作为HMAC的密钥,以random||timestamp||robot-did作为被计算数据,计算得到HMAC结果mac1(32字节)作为所述第一验证信息。其中,“||”表示拼接。After obtaining the above information, the target robot can calculate the HMAC result mac1 (32 bytes) based on the HMAC-SHA256 algorithm, using the pin-code as the HMAC key and random||timestamp||robot-did as the calculated data. as the first verification information. Among them, "||" means splicing.
这样,目标机器人可以向VPN POP发送认证请求,所述认证请求包括第一验证信息mac1、目标区块链地址robot-did、随机数random以及timestamp。当然,在一些场景中,机器人也可以拼接mac1、random、timestamp、robot-id,得到OTP(One Time Password,一次性密码)。在这种情况下,所述认证请求包括所述OTP。In this way, the target robot can send an authentication request to the VPN POP, and the authentication request includes the first verification information mac1, the target blockchain address robot-did, random number random and timestamp. Of course, in some scenarios, the robot can also splice mac1, random, timestamp, and robot-id to obtain OTP (One Time Password, one-time password). In this case, the authentication request includes the OTP.
VPN POP在接收到目标机器人的认证请求之后,可以解析获得所述目标区块链地址robot-did、随机数random以及timestamp。并基于目标区块链地址从区块链账本中获取所述目标机器人的目标识别码。这样,VPN POP也可以基于HMAC-SHA256算法,以获取到的pin-code作为HMAC的密钥,以random||timestamp||robot-did作为被计算数据,计算得到HMAC结果mac2作为第二验证信息。After receiving the authentication request from the target robot, the VPN POP can analyze and obtain the target blockchain address robot-did, random number random and timestamp. And the target identification code of the target robot is obtained from the blockchain ledger based on the target blockchain address. In this way, VPN POP can also be based on the HMAC-SHA256 algorithm, use the obtained pin-code as the HMAC key, use random||timestamp||robot-did as the calculated data, and calculate the HMAC result mac2 as the second verification information .
通过对比所述第一验证信息与所述第二验证信息,VPN POP可以对目标机器人进行认证。例如,在所述第一验证信息与所述第二验证信息相同的情况下,所述目标机器人通过所述VPN POP的认证。在所述第一验证信息与所述第二验证信息不同的情况下,则认证不通过。By comparing the first verification information with the second verification information, the VPN POP can authenticate the target robot. For example, if the first verification information is the same as the second verification information, the target robot is authenticated by the VPN POP. If the first verification information is different from the second verification information, the authentication fails.
需要说明的是,以上实施例以验证参数为目标区块链地址、时间戳以及所述目标机器人生成的随机数为例对本公开的机器人认证过程进行了示例性说明。本领域技术人员应当知晓,在具体实施时,上述参数也可以进行相应的调整(例如增加相关的机器人信息)。同时,HMAC中所使用的单向散列函数可以不限于上述示例,相关的高强度的单向散列函数(例如SHA-1)也可以被用于HMAC,本公开对此不做限制。It should be noted that, the above embodiments illustrate the robot authentication process of the present disclosure by taking verification parameters as an example of a target blockchain address, a timestamp, and a random number generated by the target robot. Those skilled in the art should know that during specific implementation, the above parameters may also be adjusted accordingly (for example, adding relevant robot information). Meanwhile, the one-way hash function used in HMAC may not be limited to the above example, and a related high-strength one-way hash function (such as SHA-1) may also be used in HMAC, which is not limited in the present disclosure.
上述技术方案在区块链网络中设置了多个VPN POP,每个所述VPN POP具备机器人认证中心授予的机器人认证权限。这样,任一所述VPN POP都可以对已注册的机器人进行网络认证,从而避免了单一的机器人认证中心在进行机器人认证时所面临的性能瓶颈问题以及中心化所导致的安全风险。The above technical solution sets multiple VPN POPs in the blockchain network, and each of the VPN POPs has the robot authentication authority granted by the robot authentication center. In this way, any of the VPN POPs can perform network authentication on registered robots, thereby avoiding the performance bottleneck problem faced by a single robot authentication center when performing robot authentication and the security risks caused by centralization.
并且,由于机器人的注册信息存储在区块链账本中,可以由区块链系统进行维护和管理,因此机器人认证中心无需再维护机器人的注册信息。采用这样的方式,能够降低机器人认证中心的复杂程度,也有助于提升机器人认证中心的可靠性。Moreover, since the registration information of the robot is stored in the blockchain ledger and can be maintained and managed by the blockchain system, the robot certification center no longer needs to maintain the registration information of the robot. Adopting such a method can reduce the complexity of the robot certification center, and also help to improve the reliability of the robot certification center.
在一种可能的实施方式中,所述VPN POP还用于:In a possible implementation manner, the VPN POP is also used for:
在所述目标机器人通过所述机器人认证中心的认证的情况下,向所述目标机器人以及机器人认证中心发送访问令牌(access-token),以使得所述机器人认证中心向所述目标机器人所对应的交互端发送访问令牌。When the target robot is authenticated by the robot certification center, an access token (access-token) is sent to the target robot and the robot certification center, so that the robot certification center can provide the corresponding The interactive end sends the access token.
其中,机器人认证中心可以是业务侧的系统组成部分,通过向机器人认证中心发送访问令牌,所述机器人认证中心进而可以向所述目标机器人所对应的交互端发送访问令牌。所述交互端例如可以是目标机器人所涉及的机器人管理系统、业务系统等等。所述访问令牌用于所述交互端对所述目标机器人的交互请求进行验证。Wherein, the robot authentication center may be a system component of the service side, and by sending an access token to the robot authentication center, the robot authentication center may further send an access token to the interaction terminal corresponding to the target robot. The interaction end may be, for example, a robot management system, a business system, etc. involved in the target robot. The access token is used by the interaction terminal to verify the interaction request of the target robot.
在一些实施场景中,访问令牌还可以与机器人的身份标识(例如编号ID)相对应。在这种情况下,VPN POP还可以在所述目标机器人通过认证的情况下,向所述机器人认证中心发送目标机器人的身份标识以及对应的访问令牌。相应的,机器人认证中心可以向所述目标机器人所对应的交互端发送目标机器人的身份标识以及对应的访问令牌。In some implementation scenarios, the access token may also correspond to the robot's identity (such as an ID number). In this case, the VPN POP may also send the identity of the target robot and the corresponding access token to the robot authentication center when the target robot is authenticated. Correspondingly, the robot authentication center may send the identity of the target robot and the corresponding access token to the interaction terminal corresponding to the target robot.
在一些实施场景中,所述访问令牌还可以包括对应的有效期,如1小时、1天等。在访问令牌的有效期内,目标机器人可以通过所述访问令牌与机器人交互端进行交互。在所述访问令牌有效期满后,目标机器人需按上述流程重新与VPN POP进行认证。In some implementation scenarios, the access token may also include a corresponding validity period, such as 1 hour, 1 day, and so on. During the validity period of the access token, the target robot can interact with the robot interaction terminal through the access token. After the validity of the access token expires, the target robot needs to re-authenticate with the VPN POP according to the above process.
通过这样的方式,能够对通过认证的机器人进行管理,有助于提升机器人的安全性。In this way, certified robots can be managed, which helps to improve the safety of the robot.
图2是本公开所示出的一种机器人认证系统的示意图,在一些实施场景中,所述区块链账本中还包括已注册的VPN POP的注册信息,所述注册信息包括所述VPN POP的区块链地址以及所述VPN POP的公钥,所述机器人认证系统还包括:Fig. 2 is a schematic diagram of a robot authentication system shown in the present disclosure. In some implementation scenarios, the blockchain account book also includes the registration information of the registered VPN POP, and the registration information includes the VPN POP blockchain address and the public key of the VPN POP, the robot authentication system also includes:
机器人认证中心,所述机器人认证中心能够获取区块链网络中的区块链账本,所述机器人认证中心用于,在接收到目标VPN POP的鉴权请求时,基于所述区块链账本中的注册信息,确定所述目标VPN POP是否已注册,并在所述目标VPN POP已注册的情况下,与所述目标VPN POP进行双向认证;其中,在双向认证成功的情况下,所述目标VPN POP具备机器人认证权限。A robot certification center, the robot certification center can obtain the block chain account book in the block chain network, and the robot certification center is used to, when receiving the authentication request of the target VPN POP, based on the block chain account book registration information, determine whether the target VPN POP has been registered, and in the case of the target VPN POP registered, carry out two-way authentication with the target VPN POP; wherein, in the case of two-way authentication success, the target VPN POP has robot authentication authority.
示例地,目标VPN POP可以向机器人认证中心发送网络认证请求,所述网络认证请求例如可以包括目标VPN POP的第二区块链地址以及第二随机数A。这样,机器人认证 中心可以在区块链账本中查询所述第二区块链地址。在该机器人认证中心未查询到所述第二区块链地址的情况下,则可以确定所述目标VPN POP未注册,从而可以终止认证流程。在该机器人认证中心查询到所述第二区块链地址的情况下,则可以确定所述目标VPN POP已注册,进而可以发起双向认证流程。For example, the target VPN POP may send a network authentication request to the robot authentication center, and the network authentication request may include, for example, the second block chain address and the second random number A of the target VPN POP. In this way, the robot certification center can query the second blockchain address in the blockchain ledger. In the case that the robot authentication center does not find the address of the second block chain, it can be determined that the target VPN POP is not registered, so that the authentication process can be terminated. When the robot authentication center inquires about the second blockchain address, it can be determined that the target VPN POP has been registered, and then a two-way authentication process can be initiated.
以下对双向认证的流程进行示例性说明。例如,机器人认证中心可以向目标VPN POP发送第一随机数B以及所述机器人认证中心的第一区块链地址。The following is an exemplary description of the two-way authentication process. For example, the robot certification center can send the first random number B and the first blockchain address of the robot certification center to the target VPN POP.
目标VPN POP可以接收第一随机数B以及第一区块链地址,并基于目标VPN POP的私钥对第一随机数B进行签名,得到签名结果SIGN(A),并将SIGN(A)发送至所述机器人认证中心。The target VPN POP can receive the first random number B and the first blockchain address, and sign the first random number B based on the private key of the target VPN POP, obtain the signature result SIGN(A), and send SIGN(A) to the Robot Certification Center.
所述机器人认证中心可以基于第二区块链地址,通过查询区块链账本的方式获得目标VPN POP的公钥PK(A),并通过公钥PK(A)对SIGN(A)进行解密验证。当解密失败和/或解密结果不为第一随机数B时,则认证失败,并终止认证流程。当解密成功且解密结果为第一随机数B时,则认证成功。这样,所述机器人认证中心可以基于自身的私钥对第二随机数A进行签名,得到SIGN(B),并将SIGN(B)发送至目标VPN POP,以便于所述目标VPN POP对所述机器人认证中心进行认证。The robot certification center can obtain the public key PK(A) of the target VPN POP by querying the blockchain account book based on the second blockchain address, and decrypt and verify the SIGN(A) through the public key PK(A) . When the decryption fails and/or the decryption result is not the first random number B, the authentication fails and the authentication process is terminated. When the decryption is successful and the decryption result is the first random number B, the authentication is successful. In this way, the robot certification center can sign the second random number A based on its own private key to obtain SIGN (B), and send SIGN (B) to the target VPN POP, so that the target VPN POP can issue a signature to the target VPN POP. Certification by Robot Certification Center.
相应的,目标VPN POP可以基于第一区块链地址,通过查询区块链账本的方式获得所述机器人认证中心的公钥PK(B),并通过公钥PK(B)对SIGN(B)进行解密验证。当解密成功且解密结果为第二随机数A时,认证成功。当解密失败和/或解密结果不为第二随机数A时,则认证失败。Correspondingly, the target VPN POP can obtain the public key PK(B) of the robot certification center by querying the blockchain ledger based on the first blockchain address, and use the public key PK(B) to SIGN(B) Perform decryption verification. When the decryption is successful and the decryption result is the second random number A, the authentication is successful. When the decryption fails and/or the decryption result is not the second random number A, the authentication fails.
上述技术方案中,通过机器人认证中心鉴权的VPN POP才能够对机器人进行认证,从而能够提升所述机器人认证系统的安全性。In the above technical solution, only the VPN POP authenticated by the robot authentication center can authenticate the robot, thereby improving the security of the robot authentication system.
以上实施例对本公开的目标VPN POP与机器人认证中心之间的双向认证流程进行了示例性说明。但本领域技术人员应当知晓,在具体实施时,通过非对称密码机制进行双向认证的方式还可以存在多种(例如在不同通信标准下双向认证方式可以存在相应的变形),为了说明书的简洁,本公开在此不再一一赘述。The above embodiments illustrate the two-way authentication process between the target VPN POP of the present disclosure and the robot authentication center. However, those skilled in the art should know that, in actual implementation, there may be multiple ways of performing two-way authentication through an asymmetric cryptographic mechanism (for example, there may be corresponding deformations of two-way authentication ways under different communication standards), for the sake of brevity in the description, The present disclosure will not be repeated here.
沿用上述例子,所述目标VPN POP还用于,在接收到目标机器人的认证请求时,若确定该目标VPN POP未与所述机器人认证中心双向认证成功,则向所述目标机器人发送认证异常信息;Using the above example, the target VPN POP is also used to send authentication exception information to the target robot if it is determined that the target VPN POP has not successfully authenticated with the robot authentication center when receiving the authentication request from the target robot ;
所述目标机器人还用于,在接收到所述认证异常信息后,向所述多个VPN POP中的 任一VPN POP发送认证请求。The target robot is also used to send an authentication request to any VPN POP in the plurality of VPN POPs after receiving the authentication exception information.
通过这样的方式,能够降低因某一VPN POP停止服务导致的机器人无法接入VPN网络的问题,提升了系统的可用性。In this way, the problem of robots being unable to access the VPN network due to the outage of a certain VPN POP can be reduced, and the availability of the system is improved.
此外值得说明的是,区块链账本中所记录的机器人信息、机器人认证中心信息以及VPN POP信息是接入认证的重要数据。因此,在一些实施场景中,还可以对机器人、机器人认证中心的添加修改过程设置相关的权限控制策略。In addition, it is worth noting that the robot information, robot certification center information, and VPN POP information recorded in the blockchain ledger are important data for access authentication. Therefore, in some implementation scenarios, related permission control policies may also be set for the process of adding and modifying the robot and the robot certification center.
例如,在一种可能的实施方式中,可以基于许可链进行权限控制。在所述许可链中,可以限制不同区块链账户是否具有对某些数据的写入和修改权限。例如,可以为OSS(Business Support System,业务支撑系统)和/或BSS(Operation Support System,运营支撑系统)中的区块链账户配置数据写入权限和数据修改权限,并为机器人、VPN POP、机器人认证中心所涉及的区块链账户设置数据读取权限。For example, in a possible implementation manner, authority control may be performed based on a permission chain. In the permission chain, it is possible to restrict whether different blockchain accounts have the permission to write and modify certain data. For example, data write permissions and data modification permissions can be configured for blockchain accounts in OSS (Business Support System, business support system) and/or BSS (Operation Support System, operation support system), and for robots, VPN POP, The blockchain account involved in the robot certification center sets data read permissions.
在一些可能的实施方式中,也可以基于制定的智能合约对机器人以及机器人认证中心的相关数据进行管理。例如,可以编写对应的智能合约,通过智能合约实现信息的存储。所述智能合约可以提供注册、修改、注销、查询等接口。其中,将注册、修改、注销、查询等接口的调用权限分配至OSS/BSS所对应的区块链账户,并设置机器人、VPN POP、机器人认证中心所对应的区块链账户具有查询接口的调用权限。In some possible implementations, the robot and the relevant data of the robot certification center can also be managed based on the formulated smart contract. For example, corresponding smart contracts can be written to store information through smart contracts. The smart contract can provide interfaces such as registration, modification, cancellation, and query. Among them, assign the call authority of registration, modification, cancellation, query and other interfaces to the blockchain account corresponding to OSS/BSS, and set the blockchain account corresponding to the robot, VPN POP, and robot certification center to have the call of the query interface permission.
这样,在一些实施场景中,所述系统还可以包括第一认证管理端。参照图3所示出的一种机器人认证的场景示意图,所述第一认证管理端为具备机器人注册权限的区块链节点,其可以与OSS/BSS的相关账户相对应。In this way, in some implementation scenarios, the system may further include a first authentication management terminal. Referring to the schematic diagram of a robot authentication scenario shown in FIG. 3 , the first authentication management terminal is a blockchain node with robot registration authority, which can correspond to the relevant account of OSS/BSS.
所述第一认证管理端用于,在接收到机器人注册请求时,将所述注册请求中的注册信息写入至所述区块链账本中;并将所述区块链网络的启动节点信息发送至所述机器人,其中,所述注册信息包括所述机器人的区块链地址以及识别码;The first authentication management terminal is used to, when receiving a robot registration request, write the registration information in the registration request into the blockchain ledger; and write the startup node information of the blockchain network sent to the robot, wherein the registration information includes the robot's blockchain address and identification code;
所述机器人用于,保存所述启动节点信息,并基于所述启动节点信息接入至所述区块链网络。The robot is used for saving the starting node information, and accessing the block chain network based on the starting node information.
示例地,机器人可以产生公钥、私钥以及识别码,并通过公钥生成区块链地址。这样,所述机器人可以向所述第一认证管理端发送包括所述区块链地址以及识别码的注册请求。For example, the robot can generate a public key, a private key, and an identification code, and generate a blockchain address through the public key. In this way, the robot can send a registration request including the blockchain address and the identification code to the first authentication management terminal.
所述第一认证管理端在接收到所述注册请求之后,可以通过向区块链网络中发送交易的方式将所述机器人的区块链地址以及识别码写入至区块链账本中,从而完成注册。After the first authentication management terminal receives the registration request, it can write the robot's blockchain address and identification code into the blockchain ledger by sending a transaction to the blockchain network, thereby Complete the registration.
当然,在一些实施方式中,机器人的注册信息还可以包括机器人的类型、编号、公钥等等。所述第一认证管理端在接收到所述注册请求之后,也可以对所述机器人的相关信息进行校验,本公开对此不做限制。Of course, in some implementations, the robot's registration information may also include the robot's type, serial number, public key, and so on. After receiving the registration request, the first authentication management terminal may also verify the relevant information of the robot, which is not limited in the present disclosure.
此外,第一认证管理端还可以将区块链网络的启动节点信息发送至所述机器人。相应的,机器人可以用于,保存所述启动节点信息,并基于所述启动节点信息接入至所述区块链网络。In addition, the first authentication management terminal can also send the startup node information of the blockchain network to the robot. Correspondingly, the robot can be used to save the starting node information, and access to the blockchain network based on the starting node information.
示例地,机器人可以根据记录的启动节点信息,通过区块链连接协议,采用轻节点协议或RPC的方式,连接至区块链网络。这样,在连接至区块链网络之后,所述机器人可以向区块链网络中的任一VPN POP发送认证请求,进而进行认证。For example, the robot can connect to the blockchain network through the blockchain connection protocol, light node protocol or RPC according to the recorded starting node information. In this way, after connecting to the blockchain network, the robot can send an authentication request to any VPN POP in the blockchain network, and then perform authentication.
采用上述技术方案,能够通过设置第一认证管理端来对机器人的注册过程进行管理,同时也对机器人信息的写入权限进行了控制。By adopting the above technical solution, the registration process of the robot can be managed by setting the first authentication management terminal, and at the same time, the writing authority of the robot information can be controlled.
在一些实施场景中,所述系统还包括第二认证管理端,所述第二认证管理端为具备机器人注册权限的区块链节点,其可以与OSS/BSS的相关账户相对应。In some implementation scenarios, the system further includes a second authentication management terminal, the second authentication management terminal is a blockchain node with robot registration authority, which may correspond to the relevant account of OSS/BSS.
第二认证管理端用于,在接收到机器人的注册请求时,生成对应于所述机器人的私钥、公钥、区块链地址、标识信息以及识别码;将所述公钥、区块链地址以及识别码作为所述机器人的注册信息写入至区块链账本中;并向所述机器人发送所述区块链网络的启动节点信息、所述标识信息以及所述私钥;The second authentication management terminal is used to, when receiving the registration request of the robot, generate the private key, public key, block chain address, identification information and identification code corresponding to the robot; The address and the identification code are written into the blockchain account book as the registration information of the robot; and the startup node information, the identification information and the private key of the blockchain network are sent to the robot;
所述机器人用于,保存所述私钥、所述标识信息以及所述启动节点信息,基于所述启动节点信息接入至所述区块链网络,并基于所述标识信息从区块链账本中获取所述机器人的区块链地址以及识别码。The robot is used to store the private key, the identification information, and the startup node information, access the blockchain network based on the startup node information, and retrieve the information from the blockchain ledger based on the identification information. Obtain the blockchain address and identification code of the robot.
通过这样的方式,机器人的公钥、区块链地址、标识信息以及识别码由OSS/BSS的相关节点生成并保存至链上。机器人在每一次认证时,都从链上获取自身的区块链地址以及识别码,进而进行认证。In this way, the robot's public key, blockchain address, identification information, and identification code are generated by relevant nodes of OSS/BSS and saved on the chain. Every time the robot authenticates, it obtains its own blockchain address and identification code from the chain, and then performs authentication.
也就是说,机器人的认证过程无需账号密码,同时认证过程所涉及的相关信息(区块链地址、识别码等)不在机器人本地维护。因此,上述技术方案避免了机器人的账号泄密风险,也降低了机器人被假冒的风险。That is to say, the authentication process of the robot does not require an account password, and the relevant information (blockchain address, identification code, etc.) involved in the authentication process is not maintained locally by the robot. Therefore, the above technical solution avoids the risk of the robot's account leaking, and also reduces the risk of the robot being counterfeited.
在一些实施场景中,所述系统还可以包括第三认证管理端。所述第三认证管理端为具备机器人注销权限的区块链节点,其可以与OSS/BSS的相关账户相对应。In some implementation scenarios, the system may further include a third authentication management terminal. The third authentication management terminal is a block chain node with robot logout authority, which can correspond to the relevant account of OSS/BSS.
所述第三认证管理端用于,在接收到机器人注销请求时,根据所述注销请求中的机 器人标识确定待注销的机器人,并将所述区块链账本中的所述待注销的机器人的注册信息更新为失效状态。The third authentication management terminal is used to, when receiving a robot logout request, determine the robot to be canceled according to the robot identification in the logout request, and store the robot's ID in the block chain ledger The registration information is updated to an invalid state.
这里,机器人注销请求可以是由相关的机器人管理端发送的也可以是由机器人发送的。在一些实施方式中,所述机器人注销请求也可以是所述第三认证管理端基于预设的规则自动生成的。例如,在机器人注册时,可以为每一机器人设置对应的有效时间区间,当超过有效时间区间之后则自动生成机器人注销请求。所述机器人注销请求中的机器人标识例如可以是机器人编号等能够对机器人进行区分的标识,本公开对此不做限制。Here, the robot logout request may be sent by the relevant robot management terminal or sent by the robot. In some implementation manners, the robot logout request may also be automatically generated by the third authentication management terminal based on preset rules. For example, when a robot is registered, a corresponding valid time interval can be set for each robot, and a robot logout request is automatically generated after the valid time interval is exceeded. The robot identifier in the robot logout request may be, for example, an identifier that can distinguish robots such as a robot number, which is not limited in the present disclosure.
这样,第三认证管理端在接收到机器人注销请求时,可以根据所述注销请求中的机器人标识确定待注销的机器人。所述第三认证管理端还可以通过向区块网络中发送交易的方式,将所述区块链账本中的所述待注销的机器人的注册信息更新为失效状态。由于注册信息被更新为失效状态,因此所述待注销的机器人无法再通过VPN POP的认证。In this way, when the third authentication management terminal receives the robot logout request, it can determine the robot to be logged out according to the robot identifier in the logout request. The third authentication management terminal may also update the registration information of the robot to be canceled in the blockchain ledger to an invalid state by sending a transaction to the blockchain network. Since the registration information is updated to an invalid state, the robot to be deregistered can no longer pass the authentication of the VPN POP.
通过这样的方式,能够基于第三认证管理端对已注册的机器人进行管理,同时也对机器人信息的注销权限进行了控制。In this way, the registered robot can be managed based on the third authentication management terminal, and at the same time, the logout authority of the robot information can be controlled.
在一种可能的实施方式中,所述系统还包括第四认证管理端,所述第四认证管理端为具备机器人认证中心注册权限的区块链节点,其可以与OSS/BSS的相关账户相对应。In a possible implementation manner, the system further includes a fourth authentication management terminal, which is a blockchain node with the registration authority of the robot certification center, which can communicate with the relevant account of the OSS/BSS. correspond.
所述第四认证管理端用于,在接收到机器人认证中心的注册请求时,将所述注册请求中的注册信息写入至所述区块链账本中,所述注册信息包括所述机器人认证中心的区块链地址和公钥。The fourth authentication management terminal is used to write the registration information in the registration request into the block chain ledger when receiving the registration request from the robot authentication center, the registration information including the robot authentication The central blockchain address and public key.
示例地,机器人认证中心可以产生公钥和私钥,并通过公钥生成区块链地址。这样,所述机器人认证中心可以向第四认证管理端发送包括所述区块链地址以及公钥的注册请求。Exemplarily, the robot certification center can generate a public key and a private key, and generate a blockchain address through the public key. In this way, the robot certification center can send a registration request including the blockchain address and public key to the fourth certification management terminal.
所述第四认证管理端在接收到所述注册请求之后,可以通过向区块链网络中发送交易的方式将所述机器人认证中心的区块链地址以及公钥写入至区块链账本中,从而完成注册。After the fourth authentication management terminal receives the registration request, it can write the blockchain address and public key of the robot certification center into the blockchain ledger by sending a transaction to the blockchain network , to complete the registration.
采用上述技术方案,能够通过设置第四认证管理端来对机器人认证中心的注册过程进行管理,同时也对机器人认证中心信息的写入权限进行了控制。By adopting the above technical solution, the registration process of the robot certification center can be managed by setting the fourth certification management terminal, and at the same time, the writing authority of the robot certification center information can be controlled.
类似的,所述系统可以包括第五认证管理端,所述第五认证管理端为具备VPN POP注册权限的区块链节点,用于在接收到VPN POP的注册请求时,将所述注册请求中的注册信息写入至所述区块链账本中,所述注册信息包括所述VPN POP的区块链地址和公钥。Similarly, the system may include a fifth authentication management terminal, the fifth authentication management terminal is a block chain node with VPN POP registration authority, and is used to send the registration request to the VPN POP upon receiving the registration request The registration information in is written into the blockchain account book, and the registration information includes the blockchain address and public key of the VPN POP.
值得说明的是,为了描述的方便和简洁,说明书中所描述的实施例均属于优选实施例,其所涉及的部分并不一定是本发明所必须的。例如,所述第一认证管理端、第二认证管理端等,在具体实施时可以是相互独立的系统组件也可以是同一个系统组件。此外,第一认证管理端、第二认证管理端等也可以对应于相关的区块链管理账户,这些区块链管理账户也可以不与OSS/BSS相对应,本公开对此不做限制。It is worth noting that, for the convenience and brevity of description, the embodiments described in the specification belong to preferred embodiments, and the parts involved are not necessarily essential to the present invention. For example, the first authentication management terminal, the second authentication management terminal, etc. may be independent system components or the same system component during specific implementation. In addition, the first authentication management terminal, the second authentication management terminal, etc. may also correspond to relevant blockchain management accounts, and these blockchain management accounts may not correspond to OSS/BSS, which is not limited in this disclosure.
基于同一发明构思,本公开还提供一种机器人认证方法,用于VPN POP,所述VPN POP具备机器人认证中心授予的机器人认证权限,且能够获取区块链网络中的区块链账本,所述区块链账本中包括已注册的机器人的注册信息。Based on the same inventive concept, the present disclosure also provides a robot authentication method for VPN POP, the VPN POP has the robot authentication authority granted by the robot authentication center, and can obtain the blockchain ledger in the blockchain network, said The blockchain ledger includes the registration information of registered robots.
这里,注册信息例如可以包括机器人的区块链地址以及与所述区块链地址相对应的识别码。所述识别码可以是每一机器人所对应的PIN码,并保持各机器人之间的识别码不同。Here, the registration information may include, for example, a blockchain address of the robot and an identification code corresponding to the blockchain address. The identification code may be a PIN code corresponding to each robot, and the identification codes of the robots shall be kept different.
示例地,机器人可以产生公钥、私钥以及识别码,并基于公钥生成区块链地址。这样,所述机器人可以基于所述区块链地址以及识别码进行注册。在注册成功之后,所述机器人的区块链地址以及识别码被写入至区块链账本中。For example, the robot can generate a public key, a private key, and an identification code, and generate a blockchain address based on the public key. In this way, the robot can be registered based on the blockchain address and identification code. After successful registration, the robot's blockchain address and identification code are written into the blockchain ledger.
在一些实施场景中,机器人的注册信息还可以包括机器人的相关信息,如机器人类型、公钥、机器人ID等等,本公开对此不做限制。In some implementation scenarios, the registration information of the robot may also include related information of the robot, such as robot type, public key, robot ID, etc., which is not limited in the present disclosure.
图4是本公开所示出的一种机器人认证方法的流程图,所述方法包括:Fig. 4 is a flow chart of a robot authentication method shown in the present disclosure, the method comprising:
S41,接收目标机器人的认证请求,所述认证请求包括第一验证信息以及验证参数;S41. Receive an authentication request from the target robot, where the authentication request includes first verification information and verification parameters;
S42,根据所述验证参数中的目标区块链地址从区块链账本中获取所述目标机器人的目标识别码,所述目标区块链地址为所述目标机器人的区块链地址;S42. Obtain the target identification code of the target robot from the blockchain ledger according to the target blockchain address in the verification parameter, where the target blockchain address is the blockchain address of the target robot;
S43,根据所述验证参数以及所述目标识别码计算得到第二验证信息;S43. Calculate and obtain second verification information according to the verification parameter and the target identification code;
S44,在所述第一验证信息与所述第二验证信息相同的情况下,确定所述目标机器人通过认证;S44. If the first verification information is the same as the second verification information, determine that the target robot has passed the verification;
其中,所述第一验证信息由所述目标机器人基于所述验证参数以及目标识别码计算得到。Wherein, the first verification information is calculated by the target robot based on the verification parameters and the target identification code.
示例地,所述验证参数可以包括:目标区块链地址、时间戳以及所述目标机器人生成的随机数。所述目标机器人通过将所述目标识别码作为密钥,将所述验证参数作为被计算数据,通过HMAC-SHA256算法计算得到所述第一验证信息。Exemplarily, the verification parameters may include: a target blockchain address, a timestamp, and a random number generated by the target robot. The target robot calculates the first verification information by using the target identification code as a key and the verification parameter as calculated data through HMAC-SHA256 algorithm.
具体来讲,目标机器人可以获取自身的目标区块链地址robot-did、识别码pin-code 以及本机时间戳timestamp(例如可以相对于1970年1月1日0时0分0秒的时间戳,长度8字节,单位毫秒,GMT+00:00时间),并产生随机数random(如32字节)。Specifically, the target robot can obtain its own target blockchain address robot-did, identification code pin-code, and local timestamp timestamp (for example, it can be relative to the timestamp of January 1, 1970 at 0:00:00) , the length is 8 bytes, the unit is millisecond, GMT+00:00), and a random number random (such as 32 bytes) is generated.
在获得上述信息之后,目标机器人可以基于HMAC-SHA256算法,以pin-code作为HMAC的密钥,以random||timestamp||robot-did作为被计算数据,计算得到HMAC结果mac1(32字节)作为所述第一验证信息。其中,“||”表示拼接。After obtaining the above information, the target robot can calculate the HMAC result mac1 (32 bytes) based on the HMAC-SHA256 algorithm, using the pin-code as the HMAC key and random||timestamp||robot-did as the calculated data. as the first verification information. Among them, "||" means splicing.
这样,目标机器人可以向VPN POP发送认证请求,所述认证请求包括第一验证信息mac1、目标区块链地址robot-did、随机数random以及timestamp。当然,在一些场景中,机器人也可以拼接mac1、random、timestamp、robot-id,得到OTP(One Time Password,一次性密码)。在这种情况下,所述认证请求包括所述OTP。In this way, the target robot can send an authentication request to the VPN POP, and the authentication request includes the first verification information mac1, the target blockchain address robot-did, random number random and timestamp. Of course, in some scenarios, the robot can also splice mac1, random, timestamp, and robot-id to obtain OTP (One Time Password, one-time password). In this case, the authentication request includes the OTP.
VPN POP在接收到目标机器人的认证请求之后,可以解析获得所述目标区块链地址robot-did、随机数random以及timestamp。并基于目标区块链地址从区块链账本中获取所述目标机器人的目标识别码。这样,VPN POP也可以基于HMAC-SHA256算法,以获取到的pin-code作为HMAC的密钥,以random||timestamp||robot-did作为被计算数据,计算得到HMAC结果mac2作为第二验证信息。After receiving the authentication request from the target robot, the VPN POP can analyze and obtain the target blockchain address robot-did, random number random and timestamp. And the target identification code of the target robot is obtained from the blockchain ledger based on the target blockchain address. In this way, VPN POP can also be based on the HMAC-SHA256 algorithm, use the obtained pin-code as the HMAC key, use random||timestamp||robot-did as the calculated data, and calculate the HMAC result mac2 as the second verification information .
通过对比所述第一验证信息与所述第二验证信息,VPN POP可以对目标机器人进行认证。例如,在所述第一验证信息与所述第二验证信息相同的情况下,所述目标机器人通过所述VPN POP的认证。在所述第一验证信息与所述第二验证信息不同的情况下,则认证不通过。By comparing the first verification information with the second verification information, the VPN POP can authenticate the target robot. For example, if the first verification information is the same as the second verification information, the target robot is authenticated by the VPN POP. If the first verification information is different from the second verification information, the authentication fails.
需要说明的是,以上实施例以验证参数为目标区块链地址、时间戳以及所述目标机器人生成的随机数为例对本公开的机器人认证过程进行了示例性说明。本领域技术人员应当知晓,在具体实施时,上述参数也可以进行相应的调整(例如增加相关的机器人信息)。同时,HMAC中所使用的单向散列函数可以不限于上述示例,相关的高强度的单向散列函数(例如SHA-1)也可以被用于HMAC,本公开对此不做限制。It should be noted that, the above embodiments illustrate the robot authentication process of the present disclosure by taking verification parameters as an example of a target blockchain address, a timestamp, and a random number generated by the target robot. Those skilled in the art should know that during specific implementation, the above parameters may also be adjusted accordingly (for example, adding relevant robot information). Meanwhile, the one-way hash function used in HMAC may not be limited to the above example, and a related high-strength one-way hash function (such as SHA-1) may also be used in HMAC, which is not limited in the present disclosure.
上述技术方案在区块链网络中设置了多个VPN POP,每个所述VPN POP具备机器人认证中心授予的机器人认证权限。这样,任一所述VPN POP都可以对已注册的机器人进行网络认证,从而避免了单一的机器人认证中心在进行机器人认证时所面临的性能瓶颈问题以及中心化所导致的安全风险。The above technical solution sets multiple VPN POPs in the blockchain network, and each of the VPN POPs has the robot authentication authority granted by the robot authentication center. In this way, any of the VPN POPs can perform network authentication on registered robots, thereby avoiding the performance bottleneck problem faced by a single robot authentication center when performing robot authentication and the security risks caused by centralization.
并且,由于机器人的注册信息存储在区块链账本中,可以由区块链系统进行维护和管理,因此机器人认证中心无需再维护机器人的注册信息。采用这样的方式,能够降低 机器人认证中心的复杂程度,也有助于提升机器人认证中心的可靠性。Moreover, since the registration information of the robot is stored in the blockchain ledger and can be maintained and managed by the blockchain system, the robot certification center no longer needs to maintain the registration information of the robot. In this way, the complexity of the robot certification center can be reduced, and it can also help to improve the reliability of the robot certification center.
在一种可能的实施方式中,所述VPN POP通过如下方式获得所述机器人认证权限:In a possible implementation manner, the VPN POP obtains the robot authentication authority in the following manner:
向机器人认证中心发送身份认证请求;其中,所述区块链网络中包括机器人认证中心,所述机器人认证中心能够获取所述区块链网络中的区块链账本,所述区块链账本中包括已注册VPN POP的注册信息,所述网络认证请求包括所述VPN POP的注册验证信息,所述注册验证信息用于所述机器人认证中心确定所述VPN POP是否已注册,并在所述VPN POP已注册的情况下,发起与所述VPN POP之间的双向认证流程;Send an identity authentication request to the robot certification center; wherein, the blockchain network includes a robot certification center, and the robot certification center can obtain the blockchain ledger in the blockchain network, and the blockchain ledger Include the registration information of the registered VPN POP, the network authentication request includes the registration verification information of the VPN POP, the registration verification information is used by the robot authentication center to determine whether the VPN POP is registered, and When the POP is registered, initiate a two-way authentication process with the VPN POP;
在所述机器人认证中心发起双向认证流程的情况下,与所述机器人认证中心进行双向认证;When the robot authentication center initiates a two-way authentication process, perform two-way authentication with the robot authentication center;
其中,在所述VPN POP与所述机器人认证中心双向认证成功的情况下,所述VPN POP获得所述机器人认证权限。Wherein, in the case that the two-way authentication between the VPN POP and the robot authentication center succeeds, the VPN POP obtains the authentication authority of the robot.
示例地,VPN POP可以向机器人认证中心发送网络认证请求,所述网络认证请求例如可以包括VPN POP的第二区块链地址以及第二随机数A。这样,机器人认证中心可以在区块链账本中查询所述第二区块链地址。在该机器人认证中心未查询到所述第二区块链地址的情况下,则可以确定所述VPN POP未注册,从而可以终止认证流程。在该机器人认证中心查询到所述第二区块链地址的情况下,则可以确定所述VPN POP已注册,进而可以发起双向认证流程。For example, the VPN POP may send a network authentication request to the robot authentication center, and the network authentication request may include, for example, the second blockchain address of the VPN POP and the second random number A. In this way, the robot certification center can query the second blockchain address in the blockchain ledger. In the case that the robot authentication center does not query the address of the second block chain, it can be determined that the VPN POP is not registered, so that the authentication process can be terminated. When the robot authentication center inquires the address of the second blockchain, it can be determined that the VPN POP has been registered, and then a two-way authentication process can be initiated.
以下对双向认证的流程进行示例性说明。例如,机器人认证中心可以向VPN POP发送第一随机数B以及所述机器人认证中心的第一区块链地址。The following is an exemplary description of the two-way authentication process. For example, the robot certification center can send the first random number B and the first blockchain address of the robot certification center to the VPN POP.
VPN POP可以接收第一随机数B以及第一区块链地址,并基于VPN POP的私钥对第一随机数B进行签名,得到签名结果SIGN(A),并将SIGN(A)发送至所述机器人认证中心。VPN POP can receive the first random number B and the first blockchain address, and sign the first random number B based on the private key of VPN POP, get the signature result SIGN(A), and send SIGN(A) to the The robot certification center mentioned above.
所述机器人认证中心可以基于第二区块链地址,通过查询区块链账本的方式获得VPN POP的公钥PK(A),并通过公钥PK(A)对SIGN(A)进行解密验证。当解密失败和/或解密结果不为第一随机数B时,则认证失败,并终止认证流程。当解密成功且解密结果为第一随机数B时,则认证成功。这样,所述机器人认证中心可以基于自身的私钥对第二随机数A进行签名,得到SIGN(B),并将SIGN(B)发送至VPN POP,以便于所述VPN POP对所述机器人认证中心进行认证。The robot certification center can obtain the public key PK(A) of the VPN POP by querying the blockchain ledger based on the second blockchain address, and decrypt and verify the SIGN(A) through the public key PK(A). When the decryption fails and/or the decryption result is not the first random number B, the authentication fails and the authentication process is terminated. When the decryption is successful and the decryption result is the first random number B, the authentication is successful. In this way, the robot certification center can sign the second random number A based on its own private key to obtain SIGN (B), and send SIGN (B) to the VPN POP, so that the VPN POP can authenticate the robot Center for certification.
相应的,VPN POP可以基于第一区块链地址,通过查询区块链账本的方式获得所述 机器人认证中心的公钥PK(B),并通过公钥PK(B)对SIGN(B)进行解密验证。当解密成功且解密结果为第二随机数A时,认证成功。当解密失败和/或解密结果不为第二随机数A时,则认证失败。Correspondingly, VPN POP can obtain the public key PK(B) of the robot certification center by querying the blockchain ledger based on the first blockchain address, and perform SIGN(B) verification through the public key PK(B). Decryption verification. When the decryption is successful and the decryption result is the second random number A, the authentication is successful. When the decryption fails and/or the decryption result is not the second random number A, the authentication fails.
这样,通过VPN POP与机器人认证中心之间的鉴权,能够提升所述机器人认证系统的安全性。In this way, through the authentication between the VPN POP and the robot authentication center, the security of the robot authentication system can be improved.
本公开还提供一种机器人认证方法,用于目标机器人,所述目标机器人可以是上述实施例中所述的机器人。所述方法包括:The present disclosure also provides a robot authentication method for a target robot, and the target robot may be the robot described in the foregoing embodiments. The methods include:
S51,获取验证参数以及所述目标机器人的目标识别码,所述验证参数包括所述目标机器人的区块链地址;S51. Obtain a verification parameter and a target identification code of the target robot, where the verification parameter includes a blockchain address of the target robot;
S52,根据所述验证参数以及所述目标识别码计算得到第一验证信息;S52. Calculate and obtain first verification information according to the verification parameter and the target identification code;
S53,向区块链网络中的任一VPN POP发送包括所述第一验证信息以及所述验证参数的认证请求;S53, sending an authentication request including the first authentication information and the authentication parameters to any VPN POP in the blockchain network;
其中,任一所述VPN POP具备机器人认证中心授予的机器人认证权限,且能够获取区块链网络中的区块链账本,所述区块链账本中包括已注册的机器人的注册信息,所述注册信息包括所述机器人的区块链地址以及与所述区块链地址相对应的识别码;所述VPN POP基于所述验证参数中的目标区块链地址从区块链账本中获取所述目标机器人的目标识别码,并根据所述验证参数以及所述目标识别码计算得到第二验证信息,在所述第一验证信息与所述第二验证信息相同的情况下,所述目标机器人通过所述VPN POP的认证。Wherein, any of the VPN POPs has the robot certification authority granted by the robot certification center, and can obtain the blockchain ledger in the blockchain network, the blockchain ledger includes the registration information of the registered robot, and the The registration information includes the blockchain address of the robot and the identification code corresponding to the blockchain address; the VPN POP obtains the blockchain account book based on the target blockchain address in the verification parameter. The target identification code of the target robot, and calculate the second verification information according to the verification parameters and the target identification code. In the case that the first verification information is the same as the second verification information, the target robot passes Authentication of the VPN POP.
其中,目标机器人与VPN POP之间的认证流程请参照上述实施例说明,为了说明书的简洁,本公开在此不做赘述。Wherein, for the authentication process between the target robot and the VPN POP, please refer to the description of the above-mentioned embodiments, and for the sake of brevity of the description, this disclosure does not repeat it here.
上述技术方案在区块链网络中设置了多个VPN POP,每个所述VPN POP具备机器人认证中心授予的机器人认证权限。这样,任一所述VPN POP都可以对已注册的机器人进行网络认证,从而避免了单一的机器人认证中心在进行机器人认证时所面临的性能瓶颈问题以及安全风险。例如,在某一VPN POP故障无法时,目标机器人还可以通过其他VPN POP进行认证。The above technical solution sets multiple VPN POPs in the blockchain network, and each of the VPN POPs has the robot authentication authority granted by the robot authentication center. In this way, any of the VPN POPs can perform network authentication on registered robots, thereby avoiding performance bottlenecks and security risks faced by a single robot authentication center when performing robot authentication. For example, when a VPN POP fails, the target robot can also authenticate through other VPN POPs.
并且,由于机器人的注册信息存储在区块链账本中,可以由区块链系统进行维护和管理,因此机器人认证中心无需再维护机器人的注册信息。采用这样的方式,能够降低机器人认证中心的复杂程度,也有助于提升机器人认证中心的可靠性。Moreover, since the registration information of the robot is stored in the blockchain ledger and can be maintained and managed by the blockchain system, the robot certification center no longer needs to maintain the registration information of the robot. Adopting such a method can reduce the complexity of the robot certification center, and also help to improve the reliability of the robot certification center.
本公开还提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现本公开所提供的应用于VPN POP的机器人认证方法的步骤。The present disclosure also provides a computer-readable storage medium, on which a computer program is stored, and when the program is executed by a processor, the steps of the robot authentication method applied to VPN POP provided by the present disclosure are implemented.
在另一示例性实施例中,还提供一种计算机程序产品,该计算机程序产品包含能够由可编程的装置执行的计算机程序,该计算机程序具有当由该可编程的装置执行时用于执行上述的应用于VPN POP的机器人认证方法的代码部分。In another exemplary embodiment, there is also provided a computer program product comprising a computer program executable by a programmable device, the computer program having a function for performing the above-mentioned The part of the code that applies to the bot authentication method of VPN POP.
本公开还提供一种计算处理设备,包括:The present disclosure also provides a computing processing device, including:
存储器,其中存储有计算机可读代码;以及a memory having computer readable code stored therein; and
一个或多个处理器,当所述计算机可读代码被所述一个或多个处理器执行时,所述计算处理设备执行本公开所提供的应用于VPN POP的机器人认证方法的步骤。One or more processors, when the computer-readable code is executed by the one or more processors, the computing processing device executes the steps of the robot authentication method applied to VPN POP provided by the present disclosure.
图6为本公开所提供的一种计算处理设备的结构示意图。该计算处理设备可以包括处理器610和以存储器630形式的计算机程序产品或者计算机可读介质。存储器630可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储器630可以包括存储空间650,存储空间650可以包括用于执行上述方法中的任何方法步骤的程序代码。例如,存储空间650可以包括分别用于实现上面的应用于VPN POP的机器人认证方法中的各种步骤的各个程序代码651。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘,紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为如图7所示的便携式或者固定存储单元。该存储单元可以具有与图6的计算处理设备中的存储器630类似布置的存储段、存储空间等。程序代码例如可以以适当形式进行压缩。这里,存储单元可以包括计算机可读代码651’,即可以由诸如610之类的处理器读取的代码,当这些代码由服务器运行时,使得该服务器执行上面所描述的应用于VPN POP的机器人认证方法中的各个步骤。FIG. 6 is a schematic structural diagram of a computing processing device provided by the present disclosure. The computing processing device may include a processor 610 and a computer program product or computer readable medium in the form of memory 630 . Memory 630 may be electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk, or ROM. The memory 630 may include a storage space 650, which may include program codes for performing any method steps in the methods described above. For example, the storage space 650 may include various program codes 651 for respectively implementing various steps in the above robot authentication method applied to VPN POP. These program codes can be read from or written into one or more computer program products. These computer program products comprise program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks. Such a computer program product is typically a portable or fixed storage unit as shown in FIG. 7 . The storage unit may have storage segments, storage spaces, etc. arranged similarly to the memory 630 in the computing processing device of FIG. 6 . The program code can, for example, be compressed in a suitable form. Here, the memory unit may include computer readable code 651', i.e. code readable by a processor such as 610, which when executed by the server, causes the server to execute the robot described above for VPN POP The individual steps in the authentication method.
本公开还提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现本公开所提供的应用于机器人的机器人认证方法的步骤。The present disclosure also provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the steps of the robot authentication method applied to a robot provided in the present disclosure are implemented.
在另一示例性实施例中,还提供一种计算机程序产品,该计算机程序产品包含能够由可编程的装置执行的计算机程序,该计算机程序具有当由该可编程的装置执行时用于执行上述的应用于机器人的机器人认证方法的代码部分。In another exemplary embodiment, there is also provided a computer program product comprising a computer program executable by a programmable device, the computer program having a function for performing the above-mentioned The code section of the bot authentication method applied to the bot.
本公开还提供一种计算处理设备,包括:The present disclosure also provides a computing processing device, including:
存储器,其中存储有计算机可读代码;以及a memory having computer readable code stored therein; and
一个或多个处理器,当所述计算机可读代码被所述一个或多个处理器执行时,所述计算处理设备执行本公开所提供的应用于机器人的机器人认证方法的步骤。One or more processors, when the computer readable code is executed by the one or more processors, the computing processing device executes the steps of the robot authentication method applied to robots provided by the present disclosure.
图8为本公开所提供的一种计算处理设备的结构示意图。该计算处理设备可以包括处理器810和以存储器830形式的计算机程序产品或者计算机可读介质。存储器830可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储器830可以包括存储空间850,存储空间850可以包括用于执行上述方法中的任何方法步骤的程序代码。例如,存储空间850可以包括分别用于实现上面的应用于机器人的机器人认证方法中的各种步骤的各个程序代码851。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘,紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为如图9所示的便携式或者固定存储单元。该存储单元可以具有与图8的计算处理设备中的存储器830类似布置的存储段、存储空间等。程序代码例如可以以适当形式进行压缩。这里,存储单元可以包括计算机可读代码851’,即可以由诸如810之类的处理器读取的代码,当这些代码由服务器运行时,使得该服务器执行上面所描述的应用于机器人的机器人认证方法中的各个步骤。FIG. 8 is a schematic structural diagram of a computing processing device provided by the present disclosure. The computing processing device may include a processor 810 and a computer program product or computer readable medium in the form of memory 830 . Memory 830 may be electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk, or ROM. The memory 830 may include a storage space 850, and the storage space 850 may include program codes for performing any method steps in the methods described above. For example, the storage space 850 may include various program codes 851 for respectively implementing various steps in the above robot authentication method applied to a robot. These program codes can be read from or written into one or more computer program products. These computer program products comprise program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks. Such a computer program product is typically a portable or fixed storage unit as shown in FIG. 9 . The storage unit may have storage segments, storage spaces, etc. arranged similarly to the memory 830 in the computing processing device of FIG. 8 . The program code can, for example, be compressed in a suitable form. Here, the storage unit may include computer readable code 851', i.e. code readable by a processor such as 810, which when executed by the server causes the server to perform the robot authentication described above for the robot. steps in the method.
以上结合附图详细描述了本公开的优选实施方式,但是,本公开并不限于上述实施方式中的具体细节,在本公开的技术构思范围内,可以对本公开的技术方案进行多种简单变型,这些简单变型均属于本公开的保护范围。The preferred embodiments of the present disclosure have been described in detail above in conjunction with the accompanying drawings. However, the present disclosure is not limited to the specific details of the above embodiments. Within the scope of the technical concept of the present disclosure, various simple modifications can be made to the technical solutions of the present disclosure. These simple modifications all belong to the protection scope of the present disclosure.
另外需要说明的是,在上述具体实施方式中所描述的各个具体技术特征,在不矛盾的情况下,可以通过任何合适的方式进行组合,为了避免不必要的重复,本公开对各种可能的组合方式不再另行说明。In addition, it should be noted that the various specific technical features described in the above specific embodiments can be combined in any suitable manner if there is no contradiction. The combination method will not be described separately.
此外,本公开的各种不同的实施方式之间也可以进行任意组合,只要其不违背本公开的思想,其同样应当视为本公开所公开的内容。In addition, various implementations of the present disclosure can be combined arbitrarily, as long as they do not violate the idea of the present disclosure, they should also be regarded as the content disclosed in the present disclosure.

Claims (15)

  1. 一种机器人认证系统,其特征在于,包括多个虚拟专用网络服务接入点VPN POP,每个所述VPN POP具备机器人认证中心授予的机器人认证权限,且能够获取区块链网络中的区块链账本,所述区块链账本中包括已注册的机器人的注册信息,所述注册信息包括所述机器人的区块链地址以及与所述区块链地址相对应的识别码;A robot authentication system is characterized in that it includes a plurality of virtual private network service access points VPN POP, each of the VPN POP has the robot authentication authority granted by the robot authentication center, and can obtain the blocks in the block chain network A chain ledger, the blockchain ledger includes the registration information of the registered robot, and the registration information includes the blockchain address of the robot and the identification code corresponding to the blockchain address;
    任一所述VPN POP用于,接收目标机器人的认证请求,所述认证请求包括第一验证信息以及验证参数,根据所述验证参数中的目标区块链地址从区块链账本中获取所述目标机器人的目标识别码,并根据所述验证参数以及所述目标识别码计算得到第二验证信息;Any one of the VPN POPs is used to receive the authentication request of the target robot, the authentication request includes first verification information and verification parameters, and the target block chain address in the verification parameters is obtained from the block chain ledger. the target identification code of the target robot, and calculate the second verification information according to the verification parameters and the target identification code;
    其中,所述目标区块链地址为所述目标机器人的区块链地址,所述第一验证信息由所述目标机器人基于所述验证参数以及目标识别码计算得到,在所述第一验证信息与所述第二验证信息相同的情况下,所述目标机器人通过所述VPN POP的认证。Wherein, the target blockchain address is the blockchain address of the target robot, the first verification information is calculated by the target robot based on the verification parameters and the target identification code, and in the first verification information In the case of the same as the second verification information, the target robot passes the authentication of the VPN POP.
  2. 根据权利要求1所述的机器人认证系统,其特征在于,所述验证参数包括:所述目标机器人的区块链地址、时间戳以及所述目标机器人生成的随机数;The robot authentication system according to claim 1, wherein the verification parameters include: a block chain address, a timestamp of the target robot, and a random number generated by the target robot;
    所述目标机器人用于,将所述目标识别码作为密钥,将所述验证参数作为被计算数据,通过HMAC-SHA256算法计算得到所述第一验证信息。The target robot is configured to use the target identification code as a key and the verification parameter as calculated data to obtain the first verification information through HMAC-SHA256 algorithm calculation.
  3. 根据权利要求1所述的机器人认证系统,其特征在于,所述VPN POP还用于:The robot authentication system according to claim 1, wherein the VPN POP is also used for:
    在所述目标机器人通过所述机器人认证中心的认证的情况下,向所述目标机器人以及机器人认证中心发送访问令牌,以使得所述机器人认证中心向所述目标机器人所对应的交互端发送访问令牌;When the target robot is authenticated by the robot authentication center, send an access token to the target robot and the robot authentication center, so that the robot authentication center sends an access token to the interactive terminal corresponding to the target robot token;
    其中,所述访问令牌用于所述交互端对所述目标机器人的交互请求进行验证。Wherein, the access token is used for the interaction terminal to verify the interaction request of the target robot.
  4. 根据权利要求1所述的机器人认证系统,其特征在于,所述区块链账本中还包括已注册的VPN POP的注册信息,所述注册信息包括所述VPN POP的区块链地址以及所述VPN POP的公钥,所述机器人认证系统还包括:The robot authentication system according to claim 1, wherein the block chain account book also includes registration information of a registered VPN POP, and the registration information includes the block chain address of the VPN POP and the The public key of the VPN POP, the robot authentication system also includes:
    机器人认证中心,所述机器人认证中心能够获取区块链网络中的区块链账本,所述机器人认证中心用于,在接收到目标VPN POP的鉴权请求时,基于所述区块链账本中的注册信息,确定所述目标VPN POP是否已注册,并在所述目标VPN POP已注册的情况 下,与所述目标VPN POP进行双向认证;其中,在双向认证成功的情况下,所述目标VPN POP具备机器人认证权限;A robot certification center, the robot certification center can obtain the block chain account book in the block chain network, and the robot certification center is used to, when receiving the authentication request of the target VPN POP, based on the block chain account book registration information, determine whether the target VPN POP has been registered, and in the case of the target VPN POP registered, carry out two-way authentication with the target VPN POP; wherein, in the case of two-way authentication success, the target VPN POP has robot authentication authority;
    所述目标VPN POP还用于,在接收到目标机器人的认证请求时,若确定该目标VPN POP未与所述机器人认证中心双向认证成功,则向所述目标机器人发送认证异常信息;The target VPN POP is also used for, when receiving the authentication request of the target robot, if it is determined that the target VPN POP has not succeeded in two-way authentication with the robot authentication center, then sending authentication exception information to the target robot;
    所述目标机器人还用于,在接收到所述认证异常信息后,向所述多个VPN POP中的任一VPN POP发送认证请求。The target robot is further configured to, after receiving the authentication exception information, send an authentication request to any VPN POP among the multiple VPN POPs.
  5. 根据权利要求1所述的机器人认证系统,其特征在于,还包括:The robot authentication system according to claim 1, further comprising:
    第一认证管理端,所述第一认证管理端为具备机器人注册权限的区块链节点,用于在接收到机器人注册请求时,将所述注册请求中的注册信息写入至所述区块链账本中;并将所述区块链网络的启动节点信息发送至所述机器人,其中,所述注册信息包括所述机器人的区块链地址以及识别码;The first authentication management terminal, the first authentication management terminal is a block chain node with robot registration authority, and is used to write the registration information in the registration request into the block when receiving the robot registration request chain ledger; and send the startup node information of the block chain network to the robot, wherein the registration information includes the block chain address and identification code of the robot;
    所述机器人用于,保存所述启动节点信息,并基于所述启动节点信息接入至所述区块链网络。The robot is used for saving the starting node information, and accessing the block chain network based on the starting node information.
  6. 根据权利要求1所述的机器人认证系统,其特征在于,还包括:The robot authentication system according to claim 1, further comprising:
    第二认证管理端,所述第二认证管理端为具备机器人注册权限的区块链节点,用于在接收到机器人的注册请求时,生成对应于所述机器人的私钥、公钥、区块链地址、标识信息以及识别码;将所述公钥、区块链地址以及识别码作为所述机器人的注册信息写入至区块链账本中;并向所述机器人发送所述区块链网络的启动节点信息、所述标识信息以及所述私钥;The second authentication management terminal, the second authentication management terminal is a block chain node with robot registration authority, and is used to generate a private key, a public key, and a block corresponding to the robot when receiving a registration request from the robot. chain address, identification information and identification code; write the public key, blockchain address and identification code into the blockchain ledger as the registration information of the robot; and send the blockchain network to the robot The startup node information, the identification information and the private key;
    所述机器人用于,保存所述私钥、所述标识信息以及所述启动节点信息,基于所述启动节点信息接入至所述区块链网络,并基于所述标识信息从区块链账本中获取所述机器人的区块链地址以及识别码。The robot is used to store the private key, the identification information, and the startup node information, access the blockchain network based on the startup node information, and retrieve the information from the blockchain ledger based on the identification information. Obtain the blockchain address and identification code of the robot.
  7. 根据权利要求1所述的机器人认证系统,其特征在于,还包括:The robot authentication system according to claim 1, further comprising:
    第三认证管理端,所述第三认证管理端为具备机器人注销权限的区块链节点,用于在接收到机器人注销请求时,根据所述注销请求中的机器人标识确定待注销的机器人,并将所述区块链账本中的所述待注销的机器人的注册信息更新为注销状态。The third authentication management terminal, the third authentication management terminal is a block chain node with robot cancellation authority, used to determine the robot to be canceled according to the robot identification in the cancellation request when receiving the robot cancellation request, and Updating the registration information of the robot to be canceled in the blockchain account book to the cancellation status.
  8. 根据权利要求1所述的机器人认证系统,其特征在于,还包括:The robot authentication system according to claim 1, further comprising:
    第四认证管理端,所述第四认证管理端为具备机器人认证中心注册权限的区块链节点,用于在接收到机器人认证中心的注册请求时,将所述注册请求中的注册信息写入至所述区块链账本中,所述注册信息包括所述机器人认证中心的区块链地址和公钥;和/或,The fourth authentication management terminal, the fourth authentication management terminal is a block chain node with the registration authority of the robot certification center, and is used to write the registration information in the registration request when receiving the registration request from the robot certification center Into the blockchain account book, the registration information includes the blockchain address and public key of the robot certification center; and/or,
    第五认证管理端,所述第五认证管理端为具备VPN POP注册权限的区块链节点,用于在接收到VPN POP的注册请求时,将所述注册请求中的注册信息写入至所述区块链账本中,所述注册信息包括所述VPN POP的区块链地址和公钥。The fifth authentication management terminal, the fifth authentication management terminal is a block chain node with VPN POP registration authority, and is used to write the registration information in the registration request to the In the blockchain ledger, the registration information includes the blockchain address and public key of the VPN POP.
  9. 一种机器人认证方法,其特征在于,用于VPN POP,所述VPN POP具备机器人认证中心授予的机器人认证权限,且能够获取区块链网络中的区块链账本,所述区块链账本中包括已注册的机器人的注册信息,所述注册信息包括所述机器人的区块链地址以及与所述区块链地址相对应的识别码,所述方法包括:A kind of robot authentication method, it is characterized in that, be used for VPN POP, described VPN POP has the robot authentication authority that robot authentication center grants, and can obtain the block chain account book in the block chain network, in the block chain account book Including the registration information of the registered robot, the registration information includes the block chain address of the robot and the identification code corresponding to the block chain address, the method includes:
    接收目标机器人的认证请求,所述认证请求包括第一验证信息以及验证参数;receiving an authentication request from a target robot, where the authentication request includes first verification information and verification parameters;
    根据所述验证参数中的目标区块链地址从区块链账本中获取所述目标机器人的目标识别码,所述目标区块链地址为所述目标机器人的区块链地址;Obtain the target identification code of the target robot from the blockchain account book according to the target blockchain address in the verification parameter, and the target blockchain address is the blockchain address of the target robot;
    根据所述验证参数以及所述目标识别码计算得到第二验证信息;calculating and obtaining second verification information according to the verification parameter and the target identification code;
    在所述第一验证信息与所述第二验证信息相同的情况下,确定所述目标机器人通过认证;If the first verification information is the same as the second verification information, determine that the target robot is authenticated;
    其中,所述第一验证信息由所述目标机器人基于所述验证参数以及目标识别码计算得到。Wherein, the first verification information is calculated by the target robot based on the verification parameters and the target identification code.
  10. 根据权利要求9所述的方法,其特征在于,所述验证参数包括所述目标机器人的区块链地址、时间戳以及所述目标机器人生成的随机数,所述根据所述验证参数以及所述目标识别码计算得到第二验证信息,包括:The method according to claim 9, wherein the verification parameters include the blockchain address of the target robot, a timestamp and a random number generated by the target robot, and according to the verification parameters and the The target identification code is calculated to obtain the second verification information, including:
    将所述目标识别码作为密钥,将所述验证参数作为被计算数据,通过HMAC-SHA256算法计算得到所述第二验证信息。The target identification code is used as a key, and the verification parameter is used as calculated data to obtain the second verification information through HMAC-SHA256 algorithm calculation.
  11. 根据权利要求9所述的方法,其特征在于,所述VPN POP通过如下方式获得所述机器人认证权限:The method according to claim 9, wherein the VPN POP obtains the robot authentication authority in the following manner:
    向机器人认证中心发送身份认证请求;其中,所述区块链网络中包括机器人认证中 心,所述机器人认证中心能够获取所述区块链网络中的区块链账本,所述区块链账本中包括已注册VPN POP的注册信息,所述网络认证请求包括所述VPN POP的注册验证信息,所述注册验证信息用于所述机器人认证中心确定所述VPN POP是否已注册,并在所述VPN POP已注册的情况下,发起与所述VPN POP之间的双向认证流程;Send an identity authentication request to the robot certification center; wherein, the blockchain network includes a robot certification center, and the robot certification center can obtain the blockchain ledger in the blockchain network, and the blockchain ledger Including the registration information of the registered VPN POP, the network authentication request includes the registration verification information of the VPN POP, and the registration verification information is used for the robot authentication center to determine whether the VPN POP is registered, and in the VPN When the POP is registered, initiate a two-way authentication process with the VPN POP;
    在所述机器人认证中心发起双向认证流程的情况下,与所述机器人认证中心进行双向认证;When the robot authentication center initiates a two-way authentication process, perform two-way authentication with the robot authentication center;
    其中,在所述VPN POP与所述机器人认证中心双向认证成功的情况下,所述VPN POP获得所述机器人认证权限。Wherein, in the case that the two-way authentication between the VPN POP and the robot authentication center succeeds, the VPN POP obtains the authentication authority of the robot.
  12. 一种机器人认证方法,其特征在于,用于目标机器人,所述方法包括:A robot authentication method, characterized in that it is used for a target robot, the method comprising:
    获取验证参数以及所述目标机器人的目标识别码,所述验证参数包括所述目标机器人的区块链地址;Acquiring verification parameters and the target identification code of the target robot, the verification parameters including the block chain address of the target robot;
    根据所述验证参数以及所述目标识别码计算得到第一验证信息;calculating and obtaining first verification information according to the verification parameter and the target identification code;
    向区块链网络中的任一VPN POP发送包括所述第一验证信息以及所述验证参数的认证请求;Send an authentication request including the first authentication information and the authentication parameters to any VPN POP in the block chain network;
    其中,任一所述VPN POP具备机器人认证中心授予的机器人认证权限,且能够获取区块链网络中的区块链账本,所述区块链账本中包括已注册的机器人的注册信息,所述注册信息包括所述机器人的区块链地址以及与所述区块链地址相对应的识别码;所述VPN POP基于所述验证参数中的目标区块链地址从区块链账本中获取所述目标机器人的目标识别码,并根据所述验证参数以及所述目标识别码计算得到第二验证信息,在所述第一验证信息与所述第二验证信息相同的情况下,所述目标机器人通过所述VPN POP的认证。Wherein, any of the VPN POPs has the robot certification authority granted by the robot certification center, and can obtain the blockchain ledger in the blockchain network, the blockchain ledger includes the registration information of the registered robot, and the The registration information includes the blockchain address of the robot and the identification code corresponding to the blockchain address; the VPN POP obtains the blockchain account book based on the target blockchain address in the verification parameter. The target identification code of the target robot, and calculate the second verification information according to the verification parameters and the target identification code. In the case that the first verification information is the same as the second verification information, the target robot passes Authentication of the VPN POP.
  13. 一种计算机程序,其特征在于,包括计算机可读代码,当所述计算机可读代码在计算处理设备上运行时,使得所述计算处理设备执行根据权利要求9至12中任一项所述的方法。A computer program, characterized in that it comprises computer readable codes, which, when the computer readable codes are run on a computing processing device, cause the computing processing device to execute the method according to any one of claims 9 to 12 method.
  14. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该程序被处理器执行时实现权利要求9至12中任一项所述方法的步骤。A computer-readable storage medium, on which a computer program is stored, wherein, when the program is executed by a processor, the steps of the method according to any one of claims 9 to 12 are realized.
  15. 一种计算处理设备,其特征在于,包括:A computing processing device, characterized in that it includes:
    存储器,其上存储有计算机程序;a memory on which a computer program is stored;
    处理器,用于执行所述存储器中的所述计算机程序,以实现权利要求9至12中任一项所述方法的步骤。A processor configured to execute the computer program in the memory to implement the steps of the method according to any one of claims 9 to 12.
PCT/CN2021/143775 2021-06-29 2021-12-31 Robot authentication system and method WO2023273277A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110729418.6A CN115225428B (en) 2021-06-29 2021-06-29 Robot authentication system and method
CN202110729418.6 2021-06-29

Publications (1)

Publication Number Publication Date
WO2023273277A1 true WO2023273277A1 (en) 2023-01-05

Family

ID=83606674

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/143775 WO2023273277A1 (en) 2021-06-29 2021-12-31 Robot authentication system and method

Country Status (2)

Country Link
CN (1) CN115225428B (en)
WO (1) WO2023273277A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108702622A (en) * 2017-11-30 2018-10-23 深圳前海达闼云端智能科技有限公司 Mobile network's access authentication method, device, storage medium and block chain node
CN109450877A (en) * 2018-10-25 2019-03-08 北京九州云腾科技有限公司 Distributed IDaaS Unified Identification system based on block chain
CN111835520A (en) * 2019-04-19 2020-10-27 株式会社理光 Method for device authentication, method for service access control, device and storage medium
KR102196478B1 (en) * 2019-10-04 2020-12-30 주식회사 레인보우브레인 Method and system for providing verification services of result of artificial intelligence robot automation software execution based on blockchain
CN112528270A (en) * 2020-12-09 2021-03-19 苏州市星际云通区块链科技有限公司 Block chain management method and device, electronic equipment and readable storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11121873B2 (en) * 2019-02-08 2021-09-14 Microsoft Technology Licensing, Llc System and method for hardening security between web services using protected forwarded access tokens
CN110519062B (en) * 2019-09-19 2021-10-29 腾讯科技(深圳)有限公司 Identity authentication method, authentication system and storage medium based on block chain
CN111859348B (en) * 2020-07-31 2022-07-19 上海微位网络科技有限公司 Identity authentication method and device based on user identification module and block chain technology

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108702622A (en) * 2017-11-30 2018-10-23 深圳前海达闼云端智能科技有限公司 Mobile network's access authentication method, device, storage medium and block chain node
CN109450877A (en) * 2018-10-25 2019-03-08 北京九州云腾科技有限公司 Distributed IDaaS Unified Identification system based on block chain
CN111835520A (en) * 2019-04-19 2020-10-27 株式会社理光 Method for device authentication, method for service access control, device and storage medium
KR102196478B1 (en) * 2019-10-04 2020-12-30 주식회사 레인보우브레인 Method and system for providing verification services of result of artificial intelligence robot automation software execution based on blockchain
CN112528270A (en) * 2020-12-09 2021-03-19 苏州市星际云通区块链科技有限公司 Block chain management method and device, electronic equipment and readable storage medium

Also Published As

Publication number Publication date
CN115225428B (en) 2023-10-13
CN115225428A (en) 2022-10-21

Similar Documents

Publication Publication Date Title
US10771459B2 (en) Terminal apparatus, server apparatus, blockchain and method for FIDO universal authentication using the same
US20210006410A1 (en) Method for providing virtual asset service based on decentralized identifier and virtual asset service providing server using them
KR101418799B1 (en) System for providing mobile OTP service
US20170099148A1 (en) Securely authorizing client applications on devices to hosted services
CN110945549A (en) Method and system for universal storage and access to user-owned credentials for cross-institution digital authentication
KR20210133985A (en) Systems and methods for assuring new authenticators
US20100325710A1 (en) Network Access Protection
US20110321152A1 (en) Trusted intermediary for network layer claims-enabled access control
KR102116235B1 (en) Method and server for managing user identity using blockchain network, and method and terminal for verifying user using user identity based on blockchain network
KR102118962B1 (en) Method and server for managing user identity using blockchain network, and method and terminal for verifying user using user identity based on blockchain network
JP2010531516A (en) Device provisioning and domain join emulation over insecure networks
US20210314293A1 (en) Method and system for using tunnel extensible authentication protocol (teap) for self-sovereign identity based authentication
US11909889B2 (en) Secure digital signing
TW201248526A (en) Dynamic platform reconfiguration by multi-tenant service providers
TWM595792U (en) Authorization system for cross-platform authorizing access to resources
KR102118935B1 (en) Method and server for managing user identity using blockchain network, and method and terminal for verifying user using user identity based on blockchain network
KR102118947B1 (en) Method and server for managing user identity using blockchain network, and method and terminal for verifying user using user identity based on blockchain network
WO2023273279A1 (en) Network authentication system and method for robot
CN116996305A (en) Multi-level security authentication method, system, equipment, storage medium and entry gateway
KR20200110118A (en) Method and server for managing user identity using blockchain network, and method and terminal for verifying user using user identity based on blockchain network
WO2022252845A1 (en) User data management method and related device
WO2022227799A1 (en) Device registration method and apparatus, and computer device and storage medium
WO2023273277A1 (en) Robot authentication system and method
CN109313681B (en) Virtual smart card with audit function
WO2023273269A1 (en) Robot authentication system and method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21948199

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE