WO2024045092A1 - Method and apparatus for determining unique identifier of device, and electronic device - Google Patents

Method and apparatus for determining unique identifier of device, and electronic device Download PDF

Info

Publication number
WO2024045092A1
WO2024045092A1 PCT/CN2022/116362 CN2022116362W WO2024045092A1 WO 2024045092 A1 WO2024045092 A1 WO 2024045092A1 CN 2022116362 W CN2022116362 W CN 2022116362W WO 2024045092 A1 WO2024045092 A1 WO 2024045092A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
address
client certificate
identification
mac address
Prior art date
Application number
PCT/CN2022/116362
Other languages
French (fr)
Chinese (zh)
Inventor
刘恒亚
齐麟
Original Assignee
西门子股份公司
西门子(中国)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西门子股份公司, 西门子(中国)有限公司 filed Critical 西门子股份公司
Priority to PCT/CN2022/116362 priority Critical patent/WO2024045092A1/en
Publication of WO2024045092A1 publication Critical patent/WO2024045092A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols

Definitions

  • the present invention relates to the field of computer technology, and in particular, to a method, device and electronic device for determining a unique identifier of a device.
  • IP Internet Protocol
  • MAC Media Access Control
  • devices cannot be accurately identified based on IP addresses or MAC addresses. For example, when the same device connects to the same network at different times, the IP address of the device may change. For another example, the same device may be connected to different networks at the same time through two or more network cards, and thus the device may be assigned multiple sets of IP addresses and MAC addresses. In these scenarios, the same device may be identified as different devices based on the device's IP address or MAC address, making device identification inaccurate.
  • the present invention provides a method, device and electronic device for determining a unique identifier of a device, so as to at least partially solve the above technical problems.
  • embodiments of the present application provide a method for determining a unique identifier of a device, including:
  • the second device identification includes a second MAC address and a second IP address, and the second MAC address is the same as the second device identification.
  • the first MAC address is different, and/or the second IP address is different from the first IP address;
  • the first device identifier in the first binding record is replaced with the second device identifier to update the first binding record.
  • identifying whether the first device identity is changed to a second device identity based on the first client certificate includes:
  • the second client certificate is the same as the first client certificate, it is determined that the first terminal device and the second terminal device are the same terminal device, and the first device identification is changed to the third terminal device. 2. Equipment identification.
  • the obtaining the first device identification of the first terminal device and the first client certificate of the first terminal device includes:
  • the MAC address and client certificate of the first terminal device are obtained as the first MAC address and the first client certificate respectively. Certificate;
  • the IP address of the first terminal device is obtained as the first IP address from the interaction information between the first terminal device and the DHCP server when requesting the IP address.
  • the MAC address and client certificate of the first terminal device are obtained from the interaction information between the first terminal device and the authentication server when accessing the network, and are used as the The first MAC address and the first client certificate, including:
  • the IP address of the first terminal device is obtained from the interaction information between the first terminal device and the DHCP server when requesting an IP address as the first IP address, include:
  • embodiments of the present application provide a device for determining a unique identifier of a device, including:
  • An acquisition module configured to acquire a first device identification of the first terminal device and a first client certificate of the first terminal device, where the first device identification includes a first MAC address and a first IP address;
  • a binding module configured to bind the first client certificate and the first device identification as a first binding record, where the first binding record is used to uniquely identify the first terminal device;
  • An identification module configured to identify whether the first device identification is changed to a second device identification based on the first client certificate, wherein the second device identification includes a second MAC address and a second IP address, and the third The second MAC address is different from the first MAC address, and/or the second IP address is different from the first IP address;
  • An update module configured to, if it is recognized that the first device identification has been changed to the second device identification, replace the first device identification in the first binding record with the second device identification to update it to the first binding record.
  • the identification module is specifically used to:
  • the second client certificate is the same as the first client certificate, it is determined that the first terminal device and the second terminal device are the same terminal device, and the first device identification is changed to the third terminal device. 2. Equipment identification.
  • the acquisition module is specifically used to:
  • Obtaining the first device identification of the first terminal device and the first client certificate of the first terminal device includes:
  • the MAC address and client certificate of the first terminal device are obtained as the first MAC address and the first client certificate respectively. Certificate;
  • the IP address of the first terminal device is obtained as the first IP address from the interaction information between the first terminal device and the DHCP server when requesting the IP address.
  • the acquisition module is specifically used to:
  • the acquisition module is specifically used to:
  • an electronic device including: a processor, a memory, a communication interface, and a communication bus.
  • the processor, the memory, and the communication interface complete communication with each other through the communication bus;
  • the memory is used to store at least one executable instruction, which causes the processor to perform operations corresponding to the method described in any one of the first aspects.
  • a fourth aspect provides a computer-readable storage medium on which computer-executable instructions are stored, wherein when executed, the computer-executable instructions cause the processor to perform any of the steps described in the first aspect. method.
  • Embodiments of the present application provide methods, devices and electronic devices for determining the unique identification of a device. Due to the uniqueness of the first client certificate of the first terminal device, even if the first device identification of the first terminal device is changed to the second device When identifying, that is, when the MAC address of the first terminal device changes from the first MAC address to the second MAC address and/or the IP address of the first terminal device changes from the first IP address to the second MAC address, based on the first The first client certificate of the terminal device can immediately identify the above changes and make updates, thereby uniquely and accurately identifying the device and improving the accuracy of device identification.
  • the first binding record is guaranteed to always uniquely identify the first terminal device based on the uniqueness and persistence of the first client certificate, when processing business logic such as device query, device update, device merging, and device binding, etc. , which can significantly reduce the complexity of business logic processing and improve work efficiency.
  • the uniqueness and persistence of the first client certificate it is ensured that the first binding record always uniquely identifies the first terminal device, avoiding the need to manually set other identity identifiers for the first terminal device to uniquely identify the first terminal device. Save labor costs.
  • Figure 1 is an architectural diagram of a system suitable for the method for determining a unique identifier of a device provided by an embodiment of the present application;
  • Figure 2 is a schematic flow chart of a method for determining a unique identifier of a device provided by an embodiment of the present application
  • Figure 3 is a schematic diagram of a process for obtaining the MAC address and client certificate of the first terminal device provided by an embodiment of the present application;
  • Figure 4 is a schematic diagram of a process for obtaining the IP address of a first terminal device provided by an embodiment of the present application
  • Figure 5 is a signal flow diagram of a process for obtaining the MAC address, client certificate and IP address of the first terminal device provided by an embodiment of the present application;
  • Figure 6 is a schematic structural diagram of a device for determining a unique identifier of a device provided by an embodiment of the present application
  • FIG. 7 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
  • Terminal equipment 20 Access equipment 30: Authentication server
  • DHCP server 30A Radius server
  • the device identifier is replaced with the second device identifier to update the first binding record.
  • the first terminal device sends the authentication access start message ⁇ EAPoL start> to the access device.
  • the access device can send an identification request ⁇ EAP-Request/Identity> to the first terminal device
  • the first terminal device sends the identification response message ⁇ EAP-Respons/Identity> to the access device.
  • the access device encapsulates the identification response message ⁇ EAP-Respons/Identity> into a Radius access request message ⁇ RADIUS AcessRequset/Identity> and transmits it to the Rohis server
  • the Rohis server sends the TLS-Start request message ⁇ EAP-TLS-Request/StartTLS> to the first terminal device via the access device.
  • the first terminal device sends the client greeting message ⁇ EAP-TLS-Request/ClientHello> to the Arthuris server via the access device.
  • the Rohis server sends a server greeting message ⁇ Radius Access-Challenge/ServerHello> to the first terminal device via the access device.
  • the first terminal device sends the TLS response message ⁇ EAP-TLS-Response/Certificate> to the Raduis server via the access device.
  • the Rohis server sends the handshake completion message ⁇ EAP-TLS-Request/ChangeCipherSpec_Finished> to the first terminal device via the access device.
  • the Rohis server sends an access response message ⁇ Radius AccessResponse/Accept> to the access device.
  • the access device sends an authentication success message ⁇ EAP-Success> to the first terminal device.
  • the first terminal device sends a DHCP request ⁇ DHCP Request> to the DHCP server via the access device.
  • the DHCP server sends a DHCP response ⁇ DHCP ACK> to the first terminal device via the access device.
  • S501 Receive the authentication access start message ⁇ EAPoL Start> message from the first terminal device, and obtain the MAC address of the first terminal device.
  • Memory 708 Communication bus 710: Executable instructions
  • IP address and MAC addresses are easy to obtain from the network, the IP address or MAC address is usually used as a unique identifier for identifying a device connected to the network.
  • the device's IP address may change. For example, the device's IP address switches from 172.x.x.2 to 172.x.x.3. . Therefore, in this scenario, the IP address cannot be used as a persistent unique identifier of the device. Identifying devices based on IP addresses may identify the same device as two different devices, resulting in inaccurate device identification.
  • a device has two different network cards, and the device can be connected to different networks at the same time. Since the device has two different network cards, the device will be assigned two sets of IP addresses and MAC addresses, that is, the device has a multi-valued unique identifier. In this scenario, the same device will be identified as two or more different devices based on IP address and MAC address, resulting in inaccurate device identification.
  • the MAC address As the unique identifier of the device. For example, when performing network traffic analysis, it is often necessary to identify the data source of a packet (i.e., the device that sent the packet). However, since the MAC address of the data packet changes after it passes through a network device (such as a switch or router), the MAC address cannot be used to identify the data source.
  • embodiments of the present application provide a method and device for determining a unique identifier of a device, so as to at least partially solve the above technical problems.
  • Figure 1 is an architectural diagram of a schematic system suitable for the method for determining a unique identifier of a device provided by an embodiment of the present application.
  • the system includes: terminal equipment 10, such as factory equipment that needs to access the IT network or OT network; access equipment 20, such as switches and routers; authentication server 30, used to access the terminal equipment 10
  • the network authenticates the terminal device 10, such as the Radius server; and the DHCP server 40 is used to allocate dynamic IP addresses to the terminal device 10 in the local area network.
  • the terminal device 10 accesses the network through the access device 20 .
  • the terminal device 10 When accessing the network, the terminal device 10 needs to interact with the authentication server 30 through the access device 20 to complete access authentication. After the access authentication of the terminal device 10 is successful, the access device 20 interacts with the DHCP server 40 to request an IP address from the DHCP server 40, and the DHCP server allocates an IP address to the terminal device 10 in response to the request from the terminal device 10.
  • the method for determining the unique identifier of the device provided by the embodiment of the present application may be executed by the access device 20 or by other devices that are communicatively connected to the access device 20 . Based on the system in Figure 1, the method for determining the unique identifier of the device provided by the embodiment of the present application will be described in detail below.
  • Figure 2 is a flow chart of a method for determining a unique identifier of a device provided by an embodiment of the present application. This method may be performed by the access device 20 in Figure 1 or by other devices that are communicatively connected to the access device 20. As shown in Figure 2, the method includes:
  • the first device identifier includes a first MAC address and a first IP address.
  • the first terminal equipment 10 corresponds to the terminal equipment shown in FIG. 1 , which may include factory equipment or other similar equipment connected to an OT network or an IT network.
  • the first client certificate is a digital certificate used to verify the legal identity of the first terminal device 10 during network communication.
  • the first client certificate is unique and persistent.
  • step S201 may include:
  • Step A Obtain the MAC address and client certificate of the first terminal device 10 from the interaction information between the first terminal device 10 and the authentication server 30 when accessing the network, as the first MAC address and the first client certificate respectively.
  • the first terminal device 10 when the first terminal device 10 is connected to the Internet, the first terminal device 10 first needs to interact with the authentication server 30 through the access device 20 to complete access authentication. During the interaction process, the first terminal device 10 first provides its MAC address to the access device 20 . The access device 20 will interact with the first terminal device 10 according to the MAC address sent by the first terminal device 10 to request the user name, client certificate and other information of the first terminal device 10 to provide to the authentication server 30 to complete the first step. Authentication between a terminal device 10 and the authentication server 30.
  • the access device 20 can obtain the MAC address and client certificate of the first terminal device 10 from the interaction information between the first terminal device 10 and the authentication server 30 as the first MAC address and the first client certificate respectively. end certificate.
  • the access device 20 obtains the authentication access start request sent by the first terminal device 10 when accessing the network; obtains the MAC address 301 of the first terminal device 10 from the authentication access start request, as the first MAC address; obtain the access authentication request sent by the first terminal device 10 to the authentication server 30 via the access device 20 when performing network authentication; obtain the client certificate 302 of the first terminal device 10 from the access authentication request , as the first client certificate.
  • FIG. 5 is a signal flow diagram of a process for obtaining the MAC address, client certificate and IP address of the first terminal device 10 provided by the embodiment of this application.
  • the Raduis server 30A is used as the authentication server, and the EAP-TLS protocol is used for access authentication between the first terminal device 10 and the Raduis server as an example for explanation.
  • FIG. 5 is only an example. In other embodiments, the first terminal device 10 and the authentication server 30 may use other suitable protocols for access authentication, which is not limited in this embodiment.
  • the first terminal device 10 sends an authentication access start message ⁇ EAPoL start> (i.e., authentication access start request) to the access device 20, indicating that the access authentication starts.
  • the authentication access start message ⁇ EAPoL start> carries the MAC address of the first terminal device 10.
  • the access device 20 can obtain the MAC address of the first terminal device 10 from the authentication access start message (ie, S501). Specifically, the MAC address of the first terminal device 10 is obtained from the data link layer according to the authentication access start message as the first MAC address. And, in response to receiving the authentication access start message, in information flow 2, the access device 20 may send an identification request ⁇ EAP-Request/Identity> to the first terminal device 10, requiring the first terminal device 10 to provide an identity identifier. .
  • the first terminal device 10 In response to receiving the identification request message ⁇ EAP-Request/Identity>, in information flow 3, the first terminal device 10 sends an identification response message ⁇ EAP-Respons/Identity> to the access device 20, the content of which is the user's identity. .
  • the access device 20 encapsulates the identification response message ⁇ EAP-Respons/Identity> into a Radius access request message ⁇ RADIUS AcessRequset/Identity> and transmits it to the Rohis server 30A.
  • the Rohis server 30A After obtaining the identity of the first terminal device 10 from the Radius access request message ⁇ RADIUS AccessRequset/Identity>, the Arthuris server 30A sends a TLS-Start request to the first terminal device 10 via the access device 20 in information flow 5. Message ⁇ EAP-TLS-Request/StartTLS>. It should be understood that in order to simplify the view, the process in which the access device 20 performs the message encapsulation and decapsulation process to forward the message between the first terminal device 10 and the Raduis server 30A is omitted in FIG. 5 . In practical applications, the communication process between the first terminal device 10 and the Rohis server 30A is all performed through the access device 20, which will not be described again.
  • the client hello message ⁇ EAP-TLS-Request/StatTLS> is sent to the Raduis server 30A via the access device 20 in signal flow 6 ClientHello>, this message contains the supported TLS protocol version, supported encryption algorithm, supported compression method, etc.
  • the Raduis server 30A In response to receiving the client hello message ⁇ EAP-TLS-Request/ClientHello>, in signal flow 7, the Raduis server 30A sends the server hello message ⁇ Radius Access-Challenge/ServerHello> to the first terminal device 10 via the access device 20 , the message contains information such as confirming the TLS protocol version used, confirming the encryption algorithm used, server certificate, and requesting the client to provide a certificate.
  • the first terminal device 10 After receiving the server hello message ⁇ EAP-TLS-Request/ServerHello>, the first terminal device 10 sends the TLS response message ⁇ EAP-TLS-Response/Certificate> to the Arthuris server 30A via the access device 20 in the signal flow 8 , this message contains the client certificate of the first terminal device 10 .
  • the access device 20 can also obtain the client certificate of the first terminal device 10 from the TLS response message ⁇ EAP-TLS-Response/Certificate> (ie, S502). Specifically, the client certificate of the first terminal device 10 is obtained from the transport layer according to the message as the first client certificate.
  • the Rohis server 30A In response to receiving the TLS response message ⁇ EAP-TLS-Response/Certificate>, in signal flow 9, the Arthuris server 30A sends a handshake completion message ⁇ EAP-TLS-Request/ChangeCipherSpec_Finished> to the first terminal device 10 via the access device 20 , indicating the end of the handshake, and in the signal flow 10, the Arthuris server 30A sends the access response message ⁇ Radius AccessResponse/Accept> to the access device 20, indicating that the authentication is completed. After decapsulating the message, the access device 20 sends an authentication success message ⁇ EAP-Success> to the first terminal device 10 in the signal flow 11, and the authentication is completed.
  • the access device 20 may perform step S501, according to the authentication access received from the first terminal device 10 in the signal flow 1.
  • Start message ⁇ EAPoL Start> message to obtain the MAC address of the first terminal device.
  • the MAC address of the first terminal device 10 is obtained from the data link layer according to the message as the first MAC address.
  • the access device 20 may also perform step S502 to obtain the client certificate of the first terminal device 10 according to the TLS response message ⁇ EAP-TLS-Response/Certificate> received from the first terminal device 10 in the signal flow 8 .
  • the client certificate of the first terminal device 10 is obtained from the transport layer according to the message as the first client certificate.
  • Step B Obtain the IP address of the first terminal device 10 as the first IP address from the interaction information between the first terminal device 10 and the DHCP server 40 when requesting the IP address.
  • the first terminal device 10 interacts with the DHCP server via the access device 20 to obtain the dynamic IP address assigned by the DHCP server. For example, as shown in Figure 4, the first terminal device 10 can send its MAC address 401 to the access device 20, and the access device 20 forwards the MAC address 401 to the DHCP server. After the DHCP server determines the IP address for the MAC address, it sends the IP address 402 to the access device 20 , and the access device 20 forwards it to the first terminal device 10 . In this way, the first terminal device 10 obtains the IP address dynamically assigned to it by the access device 20 .
  • the access device 20 can obtain the MAC address sent by the first terminal device 10 to the DHCP server and the IP address assigned by the DHCP server to the first terminal device 10, and convert the IP address address as the first IP address.
  • the first terminal device 10 requests an IP address
  • the first terminal device 10 sends a DHCP request ⁇ DHCP Request> to the DHCP server via the access device 20 in the signal flow 12.
  • the request contains the MAC address of the first terminal device 10 .
  • the DHCP server 40 sends a DHCP response ⁇ DHCP ACK> to the first terminal device 10 via the access device 20.
  • the DHCP response includes the DHCP server 40 allocated for the first terminal device 10. IP address. It should be understood that in order to simplify the view, the process of the access device 20 forwarding the DHCP request and the DHCP response is omitted in Figure 5.
  • the communication between the first terminal device 10 and the DHCP server 40 is via the access Device 20 is carried out.
  • the access device 20 executes step S503 to obtain the MAC address of the first terminal device 10 from the DHCP request.
  • step S504 is performed to obtain the IP address of the first terminal device 10 from the DHCP response.
  • the first binding record is used to uniquely identify the first terminal device 10 .
  • the access device 20 obtains the MAC address and client certificate of the first terminal device 10
  • the MAC address and the client certificate are bound, that is, the first MAC address and the first client certificate are bound.
  • the MAC address and IP address can be bound, thereby binding the MAC address, client certificate and IP address of the first terminal device 10 , as the first binding record to uniquely identify the first terminal device 10.
  • the access device 20 can always obtain a triplet consisting of the MAC address, client certificate and IP address of the first terminal device 10, and thereby identify the first terminal device 10.
  • the second device identification includes a second MAC address and a second IP address, the second MAC address is different from the first MAC address, and/or the second IP address is different from the first IP address;
  • the same terminal device may have two MAC addresses or due to various other reasons, the MAC address of the same terminal device obtained by the access device 20 may change. Due to the uniqueness of client certificates, the same end device only has unique and persistent client certificates. When the MAC address of the same terminal device changes, this change can be easily identified based on the client certificate of the terminal device during the authentication access process. Therefore, when the first MAC address of the first terminal device 10 changes from the first MAC address to the second MAC address, the access device 20 can easily identify this change based on the client certificate, which will facilitate subsequent timely The MAC address is updated to ensure unique identification of the first terminal device 10 .
  • the DHCP server 40 dynamically allocates IP addresses, after the first terminal device 10 completes the authentication access and accesses the network at different times, its IP address will also change. Due to the uniqueness and persistence of the first client certificate, this change can be identified based on the first client certificate. In addition, during the authentication access process, whether the MAC address of the first terminal device 10 changes is identified based on the first client certificate, and the MAC address is updated in time when the MAC address changes. Therefore, in a subsequent stage, whether the IP address of the first terminal device 10 is changed from the first IP address to the second IP address can also be directly identified based on the MAC address of the first terminal device 10 .
  • identifying whether the first device identity is changed to the second device identity includes: obtaining the second device identity of the second terminal device and the second device identity of the second terminal device. Client certificate; if the second client certificate is the same as the first client certificate, it is determined that the first terminal device 10 and the second terminal device are the same terminal device, and the first device identification is changed to the second device identification.
  • the second terminal device and the first terminal device 10 may be the same device or different devices.
  • the access device 20 may obtain the second device identification of the second terminal device in the same manner as the first device identification of the first terminal device 10 . Due to the uniqueness and persistence of the client certificate, the access device 20 can determine whether the second terminal device is the same as the first client certificate based on whether the second client certificate in the second device identification of the second terminal device is the same as the first client certificate. Whether a terminal device 10 is the same terminal device. If during the authentication access process, the first client certificate is the same as the first client certificate, but the first MAC address and the second MAC address are different, it can be determined that the first terminal device 10 and the second terminal device are the same terminal device.
  • the MAC address of the first terminal device 10 changes.
  • the first terminal device 10 and the second terminal device with the same MAC address are obtained and have the first IP address and the second IP address respectively, and the first IP address and the second IP address are different.
  • the first MAC address in the first binding record may be updated to the second MAC address to update
  • the first binding record ensures the unique identification of the first terminal device 10 .
  • the IP address of the first terminal device 10 changes from the first IP address to the second IP address
  • the first IP address in the first binding record can be updated to the second IP address to update the first IP address. Binding records.
  • the first binding record can be The first MAC address in is updated to the second MAC address, and the first IP address is updated to the second IP address to update the first binding record, thereby ensuring unique identification of the first terminal device 10 .
  • the first device identification of the first terminal device is changed to the second device identification, that is, the MAC address of the first terminal device
  • the first MAC address is changed to the second MAC address and/or the IP address of the first terminal device is changed from the first IP address to the second MAC address
  • the above changes can be immediately identified based on the first client certificate of the first terminal device. And make updates to uniquely and accurately identify devices and improve device identification accuracy.
  • the first binding record is guaranteed to always uniquely identify the first terminal device based on the uniqueness and persistence of the first client certificate, when processing business logic such as device query, device update, device merging, and device binding, etc.
  • the first binding record always uniquely identifies the first terminal device, avoiding the need to manually set other identity identifiers for the first terminal device to uniquely identify the first terminal device. Save labor costs.
  • FIG. 6 is a schematic structural diagram of a device for determining a unique identifier of a device provided by an embodiment of the present application.
  • the device 60 may be the access device in Figure 1, may also be integrated in the access device, or may be communicatively connected with the access device to execute the method for determining the unique identification of the device provided by the foregoing method embodiment. As shown in 5, the device includes:
  • Obtaining module 601 is used to obtain the first device identification of the first terminal device and the first client certificate of the first terminal device, where the first device identification includes the first MAC address and the first IP address;
  • the binding module 602 is used to bind the first client certificate and the first device identification as the first binding record, and the first binding record is used to uniquely identify the first terminal device;
  • Identification module 603 configured to identify whether the first device identity is changed to a second device identity based on the first client certificate.
  • the second device identity includes a second MAC address and a second IP address, and the second MAC address and the first MAC address is different, and/or, the second IP address is different from the first IP address;
  • Update module 604 configured to replace the first device identifier in the first binding record with the second device identifier to update it to the first device identifier if it is recognized that the first device identifier has been changed to the second device identifier. Binding records.
  • the identification module is specifically used to:
  • the second client certificate is the same as the first client certificate, it is determined that the first terminal device and the second terminal device are the same terminal device, and the first device identification is changed to the second device identification.
  • the acquisition module is specifically used to:
  • Obtaining the first device identification of the first terminal device and the first client certificate of the first terminal device includes:
  • IP address of the first terminal device as the first IP address from the interaction information between the first terminal device and the DHCP server when requesting the IP address.
  • the acquisition module is specifically used to:
  • the acquisition module is specifically used to:
  • the device for determining the unique identifier of the device provided in this embodiment is used to implement the corresponding methods for determining the unique identifier of the device in the multiple method embodiments mentioned above, and has the beneficial effects of the corresponding method embodiments, which will not be described again here. .
  • the functional implementation of each module in the device for determining the unique identification of a device in this embodiment reference can be made to the description of the corresponding part in the foregoing method embodiment, and details will not be described again here.
  • FIG. 7 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
  • the electronic device 70 may be the access device 20 in FIG. 1 , may also be integrated in the access device 20 , or may be communicatively connected with the access device 20 to perform the steps provided by the foregoing method embodiments for determining the unique identification of the device. Methods.
  • the electronic device may include: a processor 702, a communication interface 704, a memory 706 storing a program (at least one executable instruction 710), and a communication bus 708.
  • the processor, communication interface, and memory communicate with each other through the communication bus.
  • Communication interface used to communicate with other electronic devices or servers.
  • the processor is used to execute the program. Specifically, it can execute the relevant steps in the above method embodiments.
  • the program may include program code including computer operating instructions.
  • the processor may be a processor CPU, or an application specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement embodiments of the present application.
  • the one or more processors included in the smart device can be the same type of processor, such as one or more CPUs; or they can be different types of processors, such as one or more CPUs and one or more ASICs.
  • the memory may include high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
  • the program can specifically be used to cause the processor to execute the method for determining the unique identification of the device provided in the foregoing method embodiment.
  • each component/step described in the embodiments of this application can be split into more components/steps, or two or more components/steps or partial operations of components/steps can be combined into New components/steps to achieve the purpose of the embodiments of this application.
  • the above-mentioned methods according to the embodiments of the present application can be implemented in hardware, firmware, or as software or computer code that can be stored in a recording medium (such as CD ROM, RAM, floppy disk, hard disk or magneto-optical disk), or by The computer code downloaded by the network is originally stored in a remote recording medium or a non-transitory machine-readable medium and will be stored in a local recording medium, so that the method described here can be stored using a general-purpose computer, a special-purpose processor or a programmable computer. or such software processing on a recording medium of dedicated hardware (such as ASIC or FPGA).
  • a recording medium such as CD ROM, RAM, floppy disk, hard disk or magneto-optical disk
  • the computer code downloaded by the network is originally stored in a remote recording medium or a non-transitory machine-readable medium and will be stored in a local recording medium, so that the method described here can be stored using a general-purpose computer, a special-purpose processor or a programm
  • a computer, processor, microprocessor controller, or programmable hardware includes storage components (e.g., RAM, ROM, flash memory, etc.) that can store or receive software or computer code when the software or computer code is used by the computer, When accessed and executed by a processor or hardware, the methods described herein are implemented. Furthermore, when a general-purpose computer accesses code for implementing the methods illustrated herein, execution of the code converts the general-purpose computer into a special-purpose computer for performing the methods illustrated herein.
  • Embodiments of the present application also provide a computer-readable storage medium on which computer-executable instructions are stored, wherein when executed, the computer-executable instructions cause the processor to perform any of the foregoing method embodiments. method described. It has the same working principle and technical effect as the aforementioned method embodiment. To avoid redundancy, details will not be explained here.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Small-Scale Networks (AREA)

Abstract

A method and apparatus for determining a unique identifier of a device, and an electronic device. The method comprises: acquiring a first device identifier of a first terminal device and a first client certificate of the first terminal device, wherein the first device identifier comprises a first MAC address and a first IP address; binding the first client certificate to the first device identifier to serve as a first binding record, wherein the first binding record is used for uniquely identifying the first terminal device; identifying, on the basis of the first client certificate, whether the first device identifier has changed to a second device identifier, wherein the second device identifier comprises a second MAC address and a second IP address, the second MAC address is different from the first MAC address, and/or the second IP address is different from the first IP address; and if it is identified that the first device identifier has changed to a second device identifier, replacing the first device identifier in the first binding record by the second device identifier, so as to update to the first binding record. On the basis of the method, the accuracy and efficiency of device identification can be increased.

Description

用于确定设备唯一标识的方法、装置及电子设备Methods, devices and electronic equipment for determining unique identification of equipment 技术领域Technical field
本发明涉及计算机技术领域,尤其涉及一种用于确定设备唯一标识的方法、装置及电子设备。The present invention relates to the field of computer technology, and in particular, to a method, device and electronic device for determining a unique identifier of a device.
背景技术Background technique
设备识别对于某些业务场景(例如,资产管理、网络流量分析)至关重要。在相关技术中,通常使用设备的网际协议(Internet Protocol,IP)地址或媒体访问控制(Media Access Control,MAC)地址作为用于识别设备的唯一标识。IP地址是一种用于标识连接到因特网的设备的一组唯一数字。MAC地址用于标识设备中的唯一网络接口。使用IP地址或MAC地址作为设备的唯一标识的原因在于其容易从网络中获取。Device identification is critical for certain business scenarios (e.g., asset management, network traffic analysis). In related technologies, the Internet Protocol (Internet Protocol, IP) address or the Media Access Control (Media Access Control, MAC) address of the device is usually used as a unique identifier for identifying the device. An IP address is a unique set of numbers used to identify a device connected to the Internet. The MAC address is used to identify a unique network interface in a device. The reason for using an IP address or MAC address as a unique identifier for a device is that it is easy to obtain from the network.
然而,在复杂的网络环境中,根据IP地址或MAC地址,无法准确地识别设备。例如,同一设备在不同时间接入同一网络时,该设备的IP地址可能会发生变化。又例如,同一设备可能会通过两个或多个网卡在同一时间连接至不同的网络,由此该设备可能会分配有多组IP地址和MAC地址。在这些场景下,根据设备的IP地址或MAC地址,可能会将同一设备识别为不同的设备,使得设备识别不准确。However, in complex network environments, devices cannot be accurately identified based on IP addresses or MAC addresses. For example, when the same device connects to the same network at different times, the IP address of the device may change. For another example, the same device may be connected to different networks at the same time through two or more network cards, and thus the device may be assigned multiple sets of IP addresses and MAC addresses. In these scenarios, the same device may be identified as different devices based on the device's IP address or MAC address, making device identification inaccurate.
发明内容Contents of the invention
有鉴于此,本发明提供了一种用于确定设备唯一标识的方法、装置及电子设备,用于至少部分地解决上述技术问题。In view of this, the present invention provides a method, device and electronic device for determining a unique identifier of a device, so as to at least partially solve the above technical problems.
第一方面,本申请实施例提供了一种用于确定设备唯一标识的方法,包括:In the first aspect, embodiments of the present application provide a method for determining a unique identifier of a device, including:
获取第一终端设备的第一设备标识和所述第一终端设备的第一客户端证书,所述第一设备标识包括第一MAC地址和第一IP地址;Obtaining a first device identification of the first terminal device and a first client certificate of the first terminal device, where the first device identification includes a first MAC address and a first IP address;
绑定所述第一客户端证书与所述第一设备标识,作为第一绑定记录,所述第一绑定记录用于唯一标识所述第一终端设备;Binding the first client certificate and the first device identification as a first binding record, the first binding record being used to uniquely identify the first terminal device;
基于所述第一客户端证书,识别所述第一设备标识是否改变为第二设备标识,其中所述第二设备标识包括第二MAC地址和第二IP地址,所述第二MAC地址与所述第一MAC地址不同,和/或,所述第二IP地址与所述第一IP地址不同;Based on the first client certificate, identify whether the first device identification is changed to a second device identification, wherein the second device identification includes a second MAC address and a second IP address, and the second MAC address is the same as the second device identification. The first MAC address is different, and/or the second IP address is different from the first IP address;
若识别到所述第一设备标识改变为所述第二设备标识,则将所述第一绑定记录中的第一设备标识替换为第二设备标识以更新为第一绑定记录。If it is recognized that the first device identifier has been changed to the second device identifier, the first device identifier in the first binding record is replaced with the second device identifier to update the first binding record.
在一种可能的实现方式中,所述基于所述第一客户端证书,识别所述第一设备标识是否改变为第二设备标识,包括:In a possible implementation, identifying whether the first device identity is changed to a second device identity based on the first client certificate includes:
获取所述第二终端设备的所述第二设备标识和所述第二终端设备的第二客户端证书;Obtain the second device identification of the second terminal device and the second client certificate of the second terminal device;
若所述第二客户端证书与所述第一客户端证书相同,则确定所述第一终端设备与所述第二终端设备为同一终端设备,且所述第一设备标识改变为所述第二设备标识。If the second client certificate is the same as the first client certificate, it is determined that the first terminal device and the second terminal device are the same terminal device, and the first device identification is changed to the third terminal device. 2. Equipment identification.
在一种可能的实现方式中,所述获取第一终端设备的第一设备标识和所述第一终端设备的第一客户端证书,包括:In a possible implementation, the obtaining the first device identification of the first terminal device and the first client certificate of the first terminal device includes:
从所述第一终端设备在接入网络时与认证服务器的交互信息中,获取所述第一终端设备的MAC地址和客户端证书,分别作为所述第一MAC地址和所述第一客户端证书;From the interaction information between the first terminal device and the authentication server when accessing the network, the MAC address and client certificate of the first terminal device are obtained as the first MAC address and the first client certificate respectively. Certificate;
从所述第一终端设备在请求IP地址时与DHCP服务器的交互信息中,获取所述第一终端设备的IP地址,作为所述第一IP地址。The IP address of the first terminal device is obtained as the first IP address from the interaction information between the first terminal device and the DHCP server when requesting the IP address.
在一种可能的实现方式中,所述从所述第一终端设备在接入网络时与认证服务器的交互信息中,获取所述第一终端设备的MAC地址和客户端证书,分别作为所述第一MAC地址和所述第一客户端证书,包括:In a possible implementation, the MAC address and client certificate of the first terminal device are obtained from the interaction information between the first terminal device and the authentication server when accessing the network, and are used as the The first MAC address and the first client certificate, including:
获取所述第一终端设备在接入网络时发送的认证接入开始请求;Obtain the authentication access start request sent by the first terminal device when accessing the network;
从所述认证接入开始请求中获取所述第一终端设备的MAC地址,作为所述第一MAC地址;Obtain the MAC address of the first terminal device from the authentication access start request as the first MAC address;
获取所述第一终端设备在进行网络认证时向所述认证服务器发送的接入认证请求;Obtain the access authentication request sent by the first terminal device to the authentication server when performing network authentication;
从所述接入认证请求中获取所述第一终端设备的客户端证书,作为所述第一MAC地址。Obtain the client certificate of the first terminal device from the access authentication request as the first MAC address.
在一种可能的实现方式中,所述从所述第一终端设备在请求IP地址时与DHCP服务器的交互信息中,获取所述第一终端设备的IP地址,作为所述第一IP地址,包括:In a possible implementation, the IP address of the first terminal device is obtained from the interaction information between the first terminal device and the DHCP server when requesting an IP address as the first IP address, include:
获取所述DHCP服务器响应于所述第一终端设备的DHCP请求而发送的DHCP响应;Obtaining a DHCP response sent by the DHCP server in response to the DHCP request of the first terminal device;
从所述DHCP响应中获取所述第一终端设备的IP地址,作为所述第一IP地址。Obtain the IP address of the first terminal device from the DHCP response as the first IP address.
第二方面,本申请实施例提供了一种用于确定设备唯一标识的装置,包括:In the second aspect, embodiments of the present application provide a device for determining a unique identifier of a device, including:
获取模块,用于获取所述第一终端设备的第一设备标识和所述第一终端设备的第一客户端证书,所述第一设备标识包括第一MAC地址和第一IP地址;An acquisition module, configured to acquire a first device identification of the first terminal device and a first client certificate of the first terminal device, where the first device identification includes a first MAC address and a first IP address;
绑定模块,用于绑定所述第一客户端证书与所述第一设备标识,作为第一绑定记录,所述第一绑定记录用于唯一标识所述第一终端设备;A binding module, configured to bind the first client certificate and the first device identification as a first binding record, where the first binding record is used to uniquely identify the first terminal device;
识别模块,用于基于所述第一客户端证书,识别所述第一设备标识是否改变为第二设备标识,其中所述第二设备标识包括第二MAC地址和第二IP地址,所述第二MAC地址与所述第一MAC地址不同,和/或,所述第二IP地址与所述第一IP地址不同;An identification module, configured to identify whether the first device identification is changed to a second device identification based on the first client certificate, wherein the second device identification includes a second MAC address and a second IP address, and the third The second MAC address is different from the first MAC address, and/or the second IP address is different from the first IP address;
更新模块,用于若识别到所述第一设备标识改变为所述第二设备标识,则将所述第一绑定记录中的第一设备标识替换为第二设备标识以更新为第一绑定记录。An update module, configured to, if it is recognized that the first device identification has been changed to the second device identification, replace the first device identification in the first binding record with the second device identification to update it to the first binding record. Fixed record.
在一种可能的实现方式中,所述识别模块具体用于:In a possible implementation, the identification module is specifically used to:
获取所述第二终端设备的所述第二设备标识和所述第二终端设备的第二客户端证书;Obtain the second device identification of the second terminal device and the second client certificate of the second terminal device;
若所述第二客户端证书与所述第一客户端证书相同,则确定所述第一终端设备与所述第二终端设备为同一终端设备,且所述第一设备标识改变为所述第二设备标识。If the second client certificate is the same as the first client certificate, it is determined that the first terminal device and the second terminal device are the same terminal device, and the first device identification is changed to the third terminal device. 2. Equipment identification.
在一种可能的实现方式中,所述获取模块具体用于:In a possible implementation, the acquisition module is specifically used to:
获取第一终端设备的第一设备标识和所述第一终端设备的第一客户端证书,包括:Obtaining the first device identification of the first terminal device and the first client certificate of the first terminal device includes:
从所述第一终端设备在接入网络时与认证服务器的交互信息中,获取所述第一终端设备的MAC地址和客户端证书,分别作为所述第一MAC地址和所述第一客户端证书;From the interaction information between the first terminal device and the authentication server when accessing the network, the MAC address and client certificate of the first terminal device are obtained as the first MAC address and the first client certificate respectively. Certificate;
从所述第一终端设备在请求IP地址时与DHCP服务器的交互信息中,获取所述第一终端设备的IP地址,作为所述第一IP地址。The IP address of the first terminal device is obtained as the first IP address from the interaction information between the first terminal device and the DHCP server when requesting the IP address.
在一种可能的实现方式中,所述获取模块具体用于:In a possible implementation, the acquisition module is specifically used to:
获取所述第一终端设备在接入网络时发送的认证接入开始请求;Obtain the authentication access start request sent by the first terminal device when accessing the network;
从所述认证接入开始请求中获取所述第一终端设备的MAC地址,作为所述第一MAC地址;Obtain the MAC address of the first terminal device from the authentication access start request as the first MAC address;
获取所述第一终端设备在进行网络认证时向所述认证服务器发送的接入认证请求;Obtain the access authentication request sent by the first terminal device to the authentication server when performing network authentication;
从所述接入认证请求中获取所述第一终端设备的客户端证书,作为所述第一客户端证书。Obtain the client certificate of the first terminal device from the access authentication request as the first client certificate.
在一种可能的实现方式中,所述获取模块具体用于:In a possible implementation, the acquisition module is specifically used to:
获取所述DHCP服务器响应于所述第一终端设备的DHCP请求而发送的DHCP响应;Obtaining a DHCP response sent by the DHCP server in response to the DHCP request of the first terminal device;
从所述DHCP响应中获取所述第一终端设备的IP地址。Obtain the IP address of the first terminal device from the DHCP response.
第三方面,提供了一种电子设备,包括:处理器、存储器、通信接口和通信总线,所述处理器、所述存储器和所述通信接口通过所述通信总线完成相互间的通信;所述存储器用于存放至少一可执行指令,所述可执行指令使所述处理器执行如第一方面任一项所述的方法对应的操作。In a third aspect, an electronic device is provided, including: a processor, a memory, a communication interface, and a communication bus. The processor, the memory, and the communication interface complete communication with each other through the communication bus; The memory is used to store at least one executable instruction, which causes the processor to perform operations corresponding to the method described in any one of the first aspects.
第四方面,提供了一种计算机可读存储介质,其上存储有计算机可执行指令,其中,所述计算机可执行指令在被执行时使所述处理器执行第一方面任一项所述的方法。A fourth aspect provides a computer-readable storage medium on which computer-executable instructions are stored, wherein when executed, the computer-executable instructions cause the processor to perform any of the steps described in the first aspect. method.
本申请实施例提供用于确定设备唯一标识的方法、装置及电子设备,由于第一终端设备的第一客户端证书的唯一性,即使在第一终端设备的第一设备标识改变为第二设备标识时,也即在第一终端设备的MAC地址从第一MAC地址改变为第二MAC地址以及/或者第一终端设备的IP地址从第一IP地址改变为第二MAC地址时,基于第一终端设备的第一客户端证书可以立即识别上述改变并做出更新,从而唯一且准确地识别设备,提高设备识别的准确度。此外,由于基于第一客户端证书的唯一性和持久性,确保第一绑定记录始终唯一标识第一终端设备,因此在处理诸如设备查询、设备更新、设备合并和设备绑定等业务逻辑时,可以显著降低业务逻辑处理的复杂度,提高工作效率。同时,由于基于第一客户端证书的唯一性和持久性,确保第一绑定记录始终唯一标识第一终端设备,避免了为第一终端设备手动设置其他身份标识来唯一标识第一终端设备,节省了人力成本。Embodiments of the present application provide methods, devices and electronic devices for determining the unique identification of a device. Due to the uniqueness of the first client certificate of the first terminal device, even if the first device identification of the first terminal device is changed to the second device When identifying, that is, when the MAC address of the first terminal device changes from the first MAC address to the second MAC address and/or the IP address of the first terminal device changes from the first IP address to the second MAC address, based on the first The first client certificate of the terminal device can immediately identify the above changes and make updates, thereby uniquely and accurately identifying the device and improving the accuracy of device identification. In addition, since the first binding record is guaranteed to always uniquely identify the first terminal device based on the uniqueness and persistence of the first client certificate, when processing business logic such as device query, device update, device merging, and device binding, etc. , which can significantly reduce the complexity of business logic processing and improve work efficiency. At the same time, due to the uniqueness and persistence of the first client certificate, it is ensured that the first binding record always uniquely identifies the first terminal device, avoiding the need to manually set other identity identifiers for the first terminal device to uniquely identify the first terminal device. Save labor costs.
附图说明Description of drawings
图1是适用于本申请实施例提供的用于确定设备唯一标识的方法的一种系统的架构图;Figure 1 is an architectural diagram of a system suitable for the method for determining a unique identifier of a device provided by an embodiment of the present application;
图2是本申请实施例提供的一种用于确定设备唯一标识的方法的示意性流程图;Figure 2 is a schematic flow chart of a method for determining a unique identifier of a device provided by an embodiment of the present application;
图3是本申请实施例提供的一种用于获取第一终端设备的MAC地址和客户端证书的过程的示意图;Figure 3 is a schematic diagram of a process for obtaining the MAC address and client certificate of the first terminal device provided by an embodiment of the present application;
图4是本申请实施例提供的一种用于获取第一终端设备的IP地址的过程的示意图;Figure 4 is a schematic diagram of a process for obtaining the IP address of a first terminal device provided by an embodiment of the present application;
图5是本申请实施例提供的一种用于获取第一终端设备的MAC地址、客户端证书和IP地址的过程的信号流图;Figure 5 is a signal flow diagram of a process for obtaining the MAC address, client certificate and IP address of the first terminal device provided by an embodiment of the present application;
图6是本申请实施例提供的一种用于确定设备唯一标识的装置的结构示意图;Figure 6 is a schematic structural diagram of a device for determining a unique identifier of a device provided by an embodiment of the present application;
图7是本申请实施例提供的一种电子设备的结构示意图。FIG. 7 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
附图标记列表:List of reference signs:
10:终端设备             20:接入设备             30:认证服务器10: Terminal equipment 20: Access equipment 30: Authentication server
40:DHCP服务器         30A:Radius服务器40: DHCP server 30A: Radius server
S201:获取第一终端设备的第一设备标识和第一终端设备的第一客户端证书S201: Obtain the first device identification of the first terminal device and the first client certificate of the first terminal device
S202:绑定第一客户端证书与第一设备标识,作为第一绑定记录S202: Bind the first client certificate and the first device identification as the first binding record
S203、基于第一客户端证书,识别第一设备标识是否改变为第二设备标识S203. Based on the first client certificate, identify whether the first device identity is changed to the second device identity.
S204、若识别到第一设备标识改变为第二设备标识,则将第一绑定记录中的第一S204. If it is recognized that the first device identifier has been changed to the second device identifier, change the first device identifier in the first binding record.
设备标识替换为第二设备标识以更新为第一绑定记录。The device identifier is replaced with the second device identifier to update the first binding record.
301、401:MAC地址      302:客户端证书          402:IP地址301, 401: MAC address 302: Client certificate 402: IP address
1:第一终端设备向接入设备发送认证接入开始消息<EAPoL start>1: The first terminal device sends the authentication access start message <EAPoL start> to the access device.
2:接入设备可以向第一终端设备发送识别请求<EAP-Request/Identity>2: The access device can send an identification request <EAP-Request/Identity> to the first terminal device
3:第一终端设备向接入设备发送识别响应消息<EAP-Respons/Identity>3: The first terminal device sends the identification response message <EAP-Respons/Identity> to the access device.
4:接入设备将识别响应消息<EAP-Respons/Identity>封装成Radius访问请求消息<RADIUS AcessRequset/Identity>,传送至Raduis服务器4: The access device encapsulates the identification response message <EAP-Respons/Identity> into a Radius access request message <RADIUS AcessRequset/Identity> and transmits it to the Raduis server
5:Raduis服务器经由接入设备向第一终端设备发送TLS-Start请求消息<EAP-TLS-Request/StartTLS>5: The Raduis server sends the TLS-Start request message <EAP-TLS-Request/StartTLS> to the first terminal device via the access device.
6:第一终端设备经由接入设备向Raduis服务器发送客户端问候消息<EAP-TLS-Request/ClientHello>6: The first terminal device sends the client greeting message <EAP-TLS-Request/ClientHello> to the Raduis server via the access device.
7:Raduis服务器经由接入设备向第一终端设备发送服务器问候消息<Radius Access-Challenge/ServerHello>7: The Raduis server sends a server greeting message <Radius Access-Challenge/ServerHello> to the first terminal device via the access device.
8:第一终端设备经由接入设备向Raduis服务器发送TLS响应消息<EAP-TLS-Response/Certificate>8: The first terminal device sends the TLS response message <EAP-TLS-Response/Certificate> to the Raduis server via the access device.
9:Raduis服务器经由接入设备向第一终端设备发送握手完成消息<EAP-TLS-Request/ChangeCipherSpec_Finished>9: The Raduis server sends the handshake completion message <EAP-TLS-Request/ChangeCipherSpec_Finished> to the first terminal device via the access device.
10:Raduis服务器向接入设备发送接受接入响应消息<Radius AccessResponse/Accept>10: The Raduis server sends an access response message <Radius AccessResponse/Accept> to the access device.
11:接入设备向第一终端设备发送认证成功消息<EAP-Success>11: The access device sends an authentication success message <EAP-Success> to the first terminal device.
12:第一终端设备经由接入设备向DHCP服务器发送DHCP请求<DHCP Request>12: The first terminal device sends a DHCP request <DHCP Request> to the DHCP server via the access device.
13:DHCP服务器经由接入设备向第一终端设备发送DHCP响应<DHCP ACK>13: The DHCP server sends a DHCP response <DHCP ACK> to the first terminal device via the access device.
S501:从第一终端设备接收到认证接入开始消息<EAPoL Start>消息,获取第一终端设备的MAC地址S501: Receive the authentication access start message <EAPoL Start> message from the first terminal device, and obtain the MAC address of the first terminal device.
S502:从TLS响应消息<EAP-TLS-Response/Certificate>中获取第一终端设备1的客户端证书S502: Obtain the client certificate of the first terminal device 1 from the TLS response message <EAP-TLS-Response/Certificate>
S503:从DHCP请求中获取第一终端设备的MAC地址S503: Obtain the MAC address of the first terminal device from the DHCP request
S504:从DHCP响应中获取第一终端设备的IP地址S504: Obtain the IP address of the first terminal device from the DHCP response
60:用于确定设备唯一标识的方法                  601:获取模块60: Method used to determine the unique identification of the device 601: Obtain the module
602:绑定模块           603:识别模块           604:更新模块602: Binding module 603: Identification module 604: Update module
70:电子设备            702:处理器             704:通信接口70: Electronic equipment 702: Processor 704: Communication interface
706:存储器             708:通信总线           710:可执行指令706: Memory 708: Communication bus 710: Executable instructions
具体实施方式Detailed ways
为使本申请的目的、技术方案、及优点更加清楚明白,以下参照附图和实施例,对本申请进一步详细说明。显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员所获得的所有其他技术方案,都属于本申请保护的范围。In order to make the purpose, technical solutions, and advantages of the present application clearer, the present application will be further described in detail below with reference to the accompanying drawings and embodiments. Obviously, the described embodiments are only some of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in this application, all other technical solutions obtained by those of ordinary skill in the art fall within the scope of protection of this application.
设备识别对于某些业务场景(例如,资产管理、网络流量分析)至关重要。相关技术中,鉴于IP地址和MAC地址容易从网络中获取,通常采用IP地址或MAC地址作为用于识别连接至网络中的设备的唯一标识。Device identification is critical for certain business scenarios (e.g., asset management, network traffic analysis). In the related art, since IP addresses and MAC addresses are easy to obtain from the network, the IP address or MAC address is usually used as a unique identifier for identifying a device connected to the network.
然而,如前文提到的,在一些场景下,同一设备在不同时间接入同一网络时,设备的IP地址可能会发生变化,例如,设备的IP地址从172.x.x.2切换至172.x.x.3。因此,在这种场景下,IP地址不能作为设备的持久唯一标识。基于IP地址识别设备,可能会将同一设备识别为两个不同的设备,导致设备识别不准确。However, as mentioned earlier, in some scenarios, when the same device accesses the same network at different times, the device's IP address may change. For example, the device's IP address switches from 172.x.x.2 to 172.x.x.3. . Therefore, in this scenario, the IP address cannot be used as a persistent unique identifier of the device. Identifying devices based on IP addresses may identify the same device as two different devices, resulting in inaccurate device identification.
又例如,在另一种场景下,一个设备具有两个不同的网卡,该设备可以在同一时间连接至不同的网络。由于该设备具有两个不同的网卡,因此设备会被分配有两组IP地址和MAC地址,也即设备具有多值唯一标识。在这种场景下,基于IP地址和MAC地址会将同一设备识别为两个或多个不同的设备,导致设备识别不准确。For another example, in another scenario, a device has two different network cards, and the device can be connected to different networks at the same time. Since the device has two different network cards, the device will be assigned two sets of IP addresses and MAC addresses, that is, the device has a multi-valued unique identifier. In this scenario, the same device will be identified as two or more different devices based on IP address and MAC address, resulting in inaccurate device identification.
此外,对于某些业务场景,使用MAC地址作为设备唯一标识还会存在其他问题。例如,在进行网络流量分析时,通常需要识别数据包的数据源(即,发送该数据包的设备)。然而由于数据包在网络设备(例如,交换机或路由器)之后,其MAC地址会发生改变,此时无法使用MAC地址来识别数据源。In addition, for some business scenarios, there are other problems when using the MAC address as the unique identifier of the device. For example, when performing network traffic analysis, it is often necessary to identify the data source of a packet (i.e., the device that sent the packet). However, since the MAC address of the data packet changes after it passes through a network device (such as a switch or router), the MAC address cannot be used to identify the data source.
基于上述问题,本申请实施例提供一种用于确定设备唯一标识的方法及装置,以至少部分地解决上述技术问题。Based on the above problems, embodiments of the present application provide a method and device for determining a unique identifier of a device, so as to at least partially solve the above technical problems.
下面结合附图对本申请实施例的具体实现进行详细说明。The specific implementation of the embodiments of the present application will be described in detail below with reference to the accompanying drawings.
为了便于理解,首先结合图1对本申请实施例适用的系统的架构图进行说明。图1是适用于本申请实施例提供的用于确定设备唯一标识的方法的一种示意性系统的架构图。如图1所示,该系统包括:终端设备10,例如需要接入IT网络或OT网络的工厂设备等;接入设备20,例如交换机和路由器;认证服务器30,用于在终端设备10接入网络时对终端设备10进行认证,例如Radius服务器;以及DHCP服务器40,用于给局域网内的终端设备10分配动态的IP地址。终端设备10通过接入设备20接入网络。终端设备10在接入网络时需要通过接入设备20与认证服务器30进行交互,以完成接入认证。在终端设备10的接入认 证成功之后,通过接入设备20与DHCP服务器40进行交互,以向DHCP服务器40请求IP地址,DHCP服务器响应于来自终端设备10的请求向终端设备10分配IP地址。In order to facilitate understanding, the architecture diagram of the system applicable to the embodiment of the present application is first described with reference to FIG. 1 . Figure 1 is an architectural diagram of a schematic system suitable for the method for determining a unique identifier of a device provided by an embodiment of the present application. As shown in Figure 1, the system includes: terminal equipment 10, such as factory equipment that needs to access the IT network or OT network; access equipment 20, such as switches and routers; authentication server 30, used to access the terminal equipment 10 The network authenticates the terminal device 10, such as the Radius server; and the DHCP server 40 is used to allocate dynamic IP addresses to the terminal device 10 in the local area network. The terminal device 10 accesses the network through the access device 20 . When accessing the network, the terminal device 10 needs to interact with the authentication server 30 through the access device 20 to complete access authentication. After the access authentication of the terminal device 10 is successful, the access device 20 interacts with the DHCP server 40 to request an IP address from the DHCP server 40, and the DHCP server allocates an IP address to the terminal device 10 in response to the request from the terminal device 10.
本申请实施例提供的用于确定设备唯一标识的方法可以由接入设备20来执行,或与接入设备20通信连接的其他设备来执行。下面基于图1的系统,对本申请实施例提供的确定设备唯一标识的方法进行详细说明。The method for determining the unique identifier of the device provided by the embodiment of the present application may be executed by the access device 20 or by other devices that are communicatively connected to the access device 20 . Based on the system in Figure 1, the method for determining the unique identifier of the device provided by the embodiment of the present application will be described in detail below.
图2是本申请实施例提供的一种用于确定设备唯一标识的方法的流程图。该方法可以由图1中的接入设备20,也可以由与接入设备20通信连接的其他设备来执行。如图2所示,该方法包括:Figure 2 is a flow chart of a method for determining a unique identifier of a device provided by an embodiment of the present application. This method may be performed by the access device 20 in Figure 1 or by other devices that are communicatively connected to the access device 20. As shown in Figure 2, the method includes:
S201、获取第一终端设备10的第一设备标识和第一终端设备10的第一客户端证书。S201. Obtain the first device identification of the first terminal device 10 and the first client certificate of the first terminal device 10.
其中,第一设备标识包括第一MAC地址和第一IP地址。The first device identifier includes a first MAC address and a first IP address.
第一终端设备10对应于图1所示的终端装备,其可以包括接入OT网络或IT网络的工厂设备或其他类似设备。The first terminal equipment 10 corresponds to the terminal equipment shown in FIG. 1 , which may include factory equipment or other similar equipment connected to an OT network or an IT network.
第一客户端证书是在网路通信过程中验证第一终端设备10的合法身份的数字证书。对于第一终端设备10而言,第一客户端证书是唯一且持久不变的。The first client certificate is a digital certificate used to verify the legal identity of the first terminal device 10 during network communication. For the first terminal device 10, the first client certificate is unique and persistent.
在本申请的一种实现方式中,步骤S201可以包括:In an implementation manner of this application, step S201 may include:
步骤A、从第一终端设备10在接入网络时与认证服务器30的交互信息中,获取第一终端设备10的MAC地址和客户端证书,分别作为第一MAC地址和第一客户端证书。Step A: Obtain the MAC address and client certificate of the first terminal device 10 from the interaction information between the first terminal device 10 and the authentication server 30 when accessing the network, as the first MAC address and the first client certificate respectively.
具体地,如图3所示,在第一终端设备10联网时,第一终端设备10首先需要通过接入设备20与认证服务器30进行交互,完成接入认证。在交互过程中,第一终端设备10首先向接入设备20提供其MAC地址。接入设备20会根据第一终端设备10发送的MAC地址与第一终端设备10进行交互,以请求第一终端设备10的用户名、客户端证书等信息以提供给认证服务器30,以完成第一终端设备10与认证服务器30之间的认证。Specifically, as shown in FIG. 3 , when the first terminal device 10 is connected to the Internet, the first terminal device 10 first needs to interact with the authentication server 30 through the access device 20 to complete access authentication. During the interaction process, the first terminal device 10 first provides its MAC address to the access device 20 . The access device 20 will interact with the first terminal device 10 according to the MAC address sent by the first terminal device 10 to request the user name, client certificate and other information of the first terminal device 10 to provide to the authentication server 30 to complete the first step. Authentication between a terminal device 10 and the authentication server 30.
在上述交互过程中,接入设备20可以从第一终端设备10与认证服务器30的交互信息中,获取第一终端设备10的MAC地址和客户端证书,分别作为第一MAC地址和第一客户端证书。在一种可能的实现方式中,接入设备20获取第一终端设备10在接入网络时发送的认证接入开始请求;从认证接入开始请求中获取第一终端设备10的MAC地址301,作为第一MAC地址;获取第一终端设备10在进行网络认证时经由接入设备20向认证服务器30发送的接入认证请求;从接入认证请求中获取第一终端设备10的客户端证书302,作为第一客户端证书。During the above interaction process, the access device 20 can obtain the MAC address and client certificate of the first terminal device 10 from the interaction information between the first terminal device 10 and the authentication server 30 as the first MAC address and the first client certificate respectively. end certificate. In a possible implementation, the access device 20 obtains the authentication access start request sent by the first terminal device 10 when accessing the network; obtains the MAC address 301 of the first terminal device 10 from the authentication access start request, as the first MAC address; obtain the access authentication request sent by the first terminal device 10 to the authentication server 30 via the access device 20 when performing network authentication; obtain the client certificate 302 of the first terminal device 10 from the access authentication request , as the first client certificate.
为了便于理解上述过程,下面结合图5的示例对上述过程进行详细过程。图5是本申请 实施例提供的一种用于获取第一终端设备10的MAC地址、客户端证书和IP地址的过程的信号流图。在图5中以Raduis服务器30A为认证服务器,第一终端设备10与Raduis服务器之间采用EAP-TLS协议进行接入认证为例进行说明。应理解,图5仅是一种示例,在其他实施例中,第一终端设备10与认证服务器30可以采用其他合适的协议进行接入认证,本实施例对此不做限定。In order to facilitate understanding of the above process, the above process will be described in detail below with reference to the example in FIG. 5 . Figure 5 is a signal flow diagram of a process for obtaining the MAC address, client certificate and IP address of the first terminal device 10 provided by the embodiment of this application. In FIG. 5 , the Raduis server 30A is used as the authentication server, and the EAP-TLS protocol is used for access authentication between the first terminal device 10 and the Raduis server as an example for explanation. It should be understood that FIG. 5 is only an example. In other embodiments, the first terminal device 10 and the authentication server 30 may use other suitable protocols for access authentication, which is not limited in this embodiment.
如图5所示,在信息流1中,第一终端设备10向接入设备20发送认证接入开始消息<EAPoL start>(即,认证接入开始请求),表示接入认证开始,在该认证接入开始消息<EAPoL start>中携带有第一终端设备10的MAC地址。As shown in Figure 5, in information flow 1, the first terminal device 10 sends an authentication access start message <EAPoL start> (i.e., authentication access start request) to the access device 20, indicating that the access authentication starts. The authentication access start message <EAPoL start> carries the MAC address of the first terminal device 10.
根据认证接入开始消息,接入设备20可以从该认证接入开始消息获取第一终端设备10的MAC地址(即,S501)。具体地,根据该认证接入开始消息从数据链路层获取第一终端设备10的MAC地址,作为第一MAC地址。并且,响应于接收到该认证接入开始消息,在信息流2中,接入设备20可以向第一终端设备10发送识别请求<EAP-Request/Identity>,要求第一终端设备10提供身份标识。According to the authentication access start message, the access device 20 can obtain the MAC address of the first terminal device 10 from the authentication access start message (ie, S501). Specifically, the MAC address of the first terminal device 10 is obtained from the data link layer according to the authentication access start message as the first MAC address. And, in response to receiving the authentication access start message, in information flow 2, the access device 20 may send an identification request <EAP-Request/Identity> to the first terminal device 10, requiring the first terminal device 10 to provide an identity identifier. .
响应于接收到识别请求消息<EAP-Request/Identity>,在信息流3中,第一终端设备10向接入设备20发送识别响应消息<EAP-Respons/Identity>,其内容是用户的身份标识。In response to receiving the identification request message <EAP-Request/Identity>, in information flow 3, the first terminal device 10 sends an identification response message <EAP-Respons/Identity> to the access device 20, the content of which is the user's identity. .
在信息流4中,接入设备20将识别响应消息<EAP-Respons/Identity>封装成Radius访问请求消息<RADIUS AcessRequset/Identity>,传送至Raduis服务器30A。In information flow 4, the access device 20 encapsulates the identification response message <EAP-Respons/Identity> into a Radius access request message <RADIUS AcessRequset/Identity> and transmits it to the Raduis server 30A.
Raduis服务器30A在从Radius访问请求消息<RADIUS AccessRequset/Identity>中获取到第一终端设备10的身份标识之后,在信息流5中,经由接入设备20向第一终端设备10发送TLS-Start请求消息<EAP-TLS-Request/StartTLS>。应理解,为了简化视图,在图5中省略了接入设备20执行消息封装和解封装过程,以在第一终端设备10和Raduis服务器30A之间转发消息的过程。在实际应用中,第一终端设备10与Raduis服务器30A之间的通信过程均经由接入设备20进行,后文不再赘述。After obtaining the identity of the first terminal device 10 from the Radius access request message <RADIUS AccessRequset/Identity>, the Raduis server 30A sends a TLS-Start request to the first terminal device 10 via the access device 20 in information flow 5. Message <EAP-TLS-Request/StartTLS>. It should be understood that in order to simplify the view, the process in which the access device 20 performs the message encapsulation and decapsulation process to forward the message between the first terminal device 10 and the Raduis server 30A is omitted in FIG. 5 . In practical applications, the communication process between the first terminal device 10 and the Raduis server 30A is all performed through the access device 20, which will not be described again.
在第一终端设备10接收到TLS-Start请求消息<EAP-TLS-Request/StatTLS>之后,在信号流6中经由接入设备20向Raduis服务器30A发送客户端问候消息<EAP-TLS-Request/ClientHello>,该消息中包含支持的TLS协议版本,支持的加密算法,支持的压缩方等。After the first terminal device 10 receives the TLS-Start request message <EAP-TLS-Request/StatTLS>, the client hello message <EAP-TLS-Request/ is sent to the Raduis server 30A via the access device 20 in signal flow 6 ClientHello>, this message contains the supported TLS protocol version, supported encryption algorithm, supported compression method, etc.
响应于接收到客户端问候消息<EAP-TLS-Request/ClientHello>,在信号流7中,Raduis服务器30A经由接入设备20向第一终端设备10发送服务器问候消息<Radius Access-Challenge/ServerHello>,该消息中包含确认使用的TLS协议版本、确认使用的加密算法、服 务器证书、请求客户端提供证书等信息。In response to receiving the client hello message <EAP-TLS-Request/ClientHello>, in signal flow 7, the Raduis server 30A sends the server hello message <Radius Access-Challenge/ServerHello> to the first terminal device 10 via the access device 20 , the message contains information such as confirming the TLS protocol version used, confirming the encryption algorithm used, server certificate, and requesting the client to provide a certificate.
第一终端设备10在接收到服务器问候消息<EAP-TLS-Request/ServerHello>之后,在信号流8中,经由接入设备20向Raduis服务器30A发送TLS响应消息<EAP-TLS-Response/Certificate>,该消息包含第一终端设备10的客户端证书。此时,接入设备20还可以从该TLS响应消息<EAP-TLS-Response/Certificate>中获取第一终端设备10的客户端证书(即,S502)。具体地,根据该消息从传输层获取第一终端设备10的客户端证书作为第一客户端证书。After receiving the server hello message <EAP-TLS-Request/ServerHello>, the first terminal device 10 sends the TLS response message <EAP-TLS-Response/Certificate> to the Raduis server 30A via the access device 20 in the signal flow 8 , this message contains the client certificate of the first terminal device 10 . At this time, the access device 20 can also obtain the client certificate of the first terminal device 10 from the TLS response message <EAP-TLS-Response/Certificate> (ie, S502). Specifically, the client certificate of the first terminal device 10 is obtained from the transport layer according to the message as the first client certificate.
响应于接收到TLS响应消息<EAP-TLS-Response/Certificate>,在信号流9中,Raduis服务器30A经由接入设备20向第一终端设备10发送握手完成消息<EAP-TLS-Request/ChangeCipherSpec_Finished>,表示握手结束,并在信号流10中,Raduis服务器30A向接入设备20发送接受接入响应消息<Radius AccessResponse/Accept>,表示完成认证。接入设备20对该消息进行解封装后,在信号流11中,向第一终端设备10发送认证成功消息<EAP-Success>,此时完成认证。In response to receiving the TLS response message <EAP-TLS-Response/Certificate>, in signal flow 9, the Raduis server 30A sends a handshake completion message <EAP-TLS-Request/ChangeCipherSpec_Finished> to the first terminal device 10 via the access device 20 , indicating the end of the handshake, and in the signal flow 10, the Raduis server 30A sends the access response message <Radius AccessResponse/Accept> to the access device 20, indicating that the authentication is completed. After decapsulating the message, the access device 20 sends an authentication success message <EAP-Success> to the first terminal device 10 in the signal flow 11, and the authentication is completed.
如上所述,在第一终端设备10经由接入设备20与Raduis服务器30A交互的过程中,接入设备20可以执行步骤S501,根据在信号流1中从第一终端设备10接收到认证接入开始消息<EAPoL Start>消息,获取第一终端设备的MAC地址。具体地,根据该消息从数据链路层获取第一终端设备10的MAC地址,作为第一MAC地址。此外,接入设备20还可以执行步骤S502根据在信号流8中从第一终端设备10接收到的TLS响应消息<EAP-TLS-Response/Certificate>中获取第一终端设备10的客户端证书。具体地,根据该消息从传输层获取第一终端设备10的客户端证书作为第一客户端证书。As mentioned above, in the process of the first terminal device 10 interacting with the Raduis server 30A via the access device 20, the access device 20 may perform step S501, according to the authentication access received from the first terminal device 10 in the signal flow 1. Start message <EAPoL Start> message to obtain the MAC address of the first terminal device. Specifically, the MAC address of the first terminal device 10 is obtained from the data link layer according to the message as the first MAC address. In addition, the access device 20 may also perform step S502 to obtain the client certificate of the first terminal device 10 according to the TLS response message <EAP-TLS-Response/Certificate> received from the first terminal device 10 in the signal flow 8 . Specifically, the client certificate of the first terminal device 10 is obtained from the transport layer according to the message as the first client certificate.
步骤B、从第一终端设备10在请求IP地址时与DHCP服务器40的交互信息中,获取第一终端设备10的IP地址,作为第一IP地址。Step B: Obtain the IP address of the first terminal device 10 as the first IP address from the interaction information between the first terminal device 10 and the DHCP server 40 when requesting the IP address.
具体地,在第一终端设备10完成接入认证之后,第一终端设备10经由接入设备20与DHCP服务器进行交互,以获取DHCP服务器为其分配的动态IP地址。例如,如图4所示,第一终端设备10可以向接入设备20发送其MAC地址401,接入设备20将该MAC地址401转发给DHCP服务器。DHCP服务器针对该MAC地址确定IP地址之后,将该IP地址402发送给接入设备20,由接入设备20转发给第一终端设备10。由此第一终端设备10获取到接入设备20为其动态分配的IP地址。在DHCP服务器与第一终端设备10的交互过程中,接入设备20可以获取到第一终端设备10发送给DHCP服务器的MAC地址和DHCP服务器为第一终端设备10分配的IP地址,将该IP地址作为第一IP地址。Specifically, after the first terminal device 10 completes the access authentication, the first terminal device 10 interacts with the DHCP server via the access device 20 to obtain the dynamic IP address assigned by the DHCP server. For example, as shown in Figure 4, the first terminal device 10 can send its MAC address 401 to the access device 20, and the access device 20 forwards the MAC address 401 to the DHCP server. After the DHCP server determines the IP address for the MAC address, it sends the IP address 402 to the access device 20 , and the access device 20 forwards it to the first terminal device 10 . In this way, the first terminal device 10 obtains the IP address dynamically assigned to it by the access device 20 . During the interaction process between the DHCP server and the first terminal device 10, the access device 20 can obtain the MAC address sent by the first terminal device 10 to the DHCP server and the IP address assigned by the DHCP server to the first terminal device 10, and convert the IP address address as the first IP address.
为了便于理解,继续参照图5所示,在第一终端设备10请求IP地址时,第一终端设备10在信号流12中经由接入设备20向DHCP服务器发送DHCP请求<DHCP Request>,该DHCP请求中包含第一终端设备10的MAC地址。响应于接收到DHCP请求,在信号流13中,DHCP服务器40经由接入设备20向第一终端设备10发送DHCP响应<DHCP ACK>,该DHCP响应中包含DHCP服务器40为第一终端设备10分配的IP地址。应理解,为了简化视图,图5中省略了接入设备20转发DHCP请求和DHCP响应的过程,应理解,在实际应用过程中,第一终端设备10与DHCP服务器40之间的通信经由接入设备20进行。在接入设备20在接收到第一终端设备10向DHCP服务器40发送DHCP请求时,接入设备20执行步骤S503,从DHCP请求中获取第一终端设备10的MAC地址。此外,在接入设备20在接收到DHCP服务器40向第一终端设备10发送的DHCP响应时,执行步骤S504,从DHCP响应中获取第一终端设备10的IP地址。For ease of understanding, continue to refer to Figure 5. When the first terminal device 10 requests an IP address, the first terminal device 10 sends a DHCP request <DHCP Request> to the DHCP server via the access device 20 in the signal flow 12. The request contains the MAC address of the first terminal device 10 . In response to receiving the DHCP request, in the signal flow 13, the DHCP server 40 sends a DHCP response <DHCP ACK> to the first terminal device 10 via the access device 20. The DHCP response includes the DHCP server 40 allocated for the first terminal device 10. IP address. It should be understood that in order to simplify the view, the process of the access device 20 forwarding the DHCP request and the DHCP response is omitted in Figure 5. It should be understood that in the actual application process, the communication between the first terminal device 10 and the DHCP server 40 is via the access Device 20 is carried out. When the access device 20 receives the DHCP request sent by the first terminal device 10 to the DHCP server 40, the access device 20 executes step S503 to obtain the MAC address of the first terminal device 10 from the DHCP request. In addition, when the access device 20 receives the DHCP response sent by the DHCP server 40 to the first terminal device 10, step S504 is performed to obtain the IP address of the first terminal device 10 from the DHCP response.
回到图2,根据图2中的S202、绑定第一客户端证书与第一设备标识,作为第一绑定记录;Returning to Figure 2, according to S202 in Figure 2, bind the first client certificate and the first device identifier as the first binding record;
其中,第一绑定记录用于唯一标识第一终端设备10。The first binding record is used to uniquely identify the first terminal device 10 .
具体地,在接入设备20获取到第一终端设备10的MAC地址和客户端证书之后,绑定该MAC地址和客户端证书,即绑定第一MAC地址和第一客户端证书。此后,在接收到第一终端设备10的MAC地址和IP地址之后,可以绑定该MAC地址和IP地址,从而将第一终端设备10的MAC地址、客户端证书和IP地址三者进行绑定,作为第一绑定记录来唯一标识第一终端设备10。Specifically, after the access device 20 obtains the MAC address and client certificate of the first terminal device 10, the MAC address and the client certificate are bound, that is, the first MAC address and the first client certificate are bound. Thereafter, after receiving the MAC address and IP address of the first terminal device 10, the MAC address and IP address can be bound, thereby binding the MAC address, client certificate and IP address of the first terminal device 10 , as the first binding record to uniquely identify the first terminal device 10.
应理解,在第一终端设备10接入网络时,接入设备20总是可以获取由第一终端设备10的MAC地址、客户端证书和IP地址构成的三元组,据此来识别第一终端设备10。It should be understood that when the first terminal device 10 accesses the network, the access device 20 can always obtain a triplet consisting of the MAC address, client certificate and IP address of the first terminal device 10, and thereby identify the first terminal device 10. Terminal device 10.
S203、基于第一客户端证书,识别第一设备标识是否改变为第二设备标识。S203. Based on the first client certificate, identify whether the first device identity is changed to the second device identity.
其中,第二设备标识包括第二MAC地址和第二IP地址,第二MAC地址与第一MAC地址不同,和/或,第二IP地址与第一IP地址不同;Wherein, the second device identification includes a second MAC address and a second IP address, the second MAC address is different from the first MAC address, and/or the second IP address is different from the first IP address;
如在上文提到的,由于在复杂的应用场景中,同一终端设备可能会具有两个MAC地址或者由于其他各种原因,接入设备20获取到的同一终端设备的MAC地址会变化。由于客户端证书的唯一性,同一终端设备仅具有唯一且持久的客户端证书。在同一终端设备的MAC地址发生变化时,在认证接入过程中,基于该终端设备的客户端证书很容易识别这种变化。因此,在第一终端设备10的第一MAC地址发生变化,从第一MAC地址改变为第二MAC地址时,接入设备20基于该客户端证书能够容易识别这种变化,进而有利于后续及时 更新该MAC地址,确保对第一终端设备10的唯一识别。As mentioned above, in complex application scenarios, the same terminal device may have two MAC addresses or due to various other reasons, the MAC address of the same terminal device obtained by the access device 20 may change. Due to the uniqueness of client certificates, the same end device only has unique and persistent client certificates. When the MAC address of the same terminal device changes, this change can be easily identified based on the client certificate of the terminal device during the authentication access process. Therefore, when the first MAC address of the first terminal device 10 changes from the first MAC address to the second MAC address, the access device 20 can easily identify this change based on the client certificate, which will facilitate subsequent timely The MAC address is updated to ensure unique identification of the first terminal device 10 .
同样地,如上文提到的,由于DHCP服务器40动态分配IP地址,在第一终端设备10完成认证接入之后,在不同的时间访问网络,其IP地址也会发生变化。由于第一客户端证书的唯一性和持久性,可以基于第一客户端证书来识别这种变化。此外,由于在认证接入过程中基于第一客户端证书识别第一终端设备10的MAC地址是否变化,并在MAC地址变化时会及时更新MAC地址。因此,在后续阶段,也可以直接基于第一终端设备10的MAC地址来识别第一终端设备10的IP地址是否从第一IP地址改变为第二IP地址。Similarly, as mentioned above, since the DHCP server 40 dynamically allocates IP addresses, after the first terminal device 10 completes the authentication access and accesses the network at different times, its IP address will also change. Due to the uniqueness and persistence of the first client certificate, this change can be identified based on the first client certificate. In addition, during the authentication access process, whether the MAC address of the first terminal device 10 changes is identified based on the first client certificate, and the MAC address is updated in time when the MAC address changes. Therefore, in a subsequent stage, whether the IP address of the first terminal device 10 is changed from the first IP address to the second IP address can also be directly identified based on the MAC address of the first terminal device 10 .
在本申请的一种具体实现中,基于第一客户端证书,识别第一设备标识是否改变为第二设备标识,包括:获取第二终端设备的第二设备标识和第二终端设备的第二客户端证书;若第二客户端证书与第一客户端证书相同,则确定第一终端设备10与第二终端设备为同一终端设备,且第一设备标识改变为第二设备标识。In a specific implementation of the present application, based on the first client certificate, identifying whether the first device identity is changed to the second device identity includes: obtaining the second device identity of the second terminal device and the second device identity of the second terminal device. Client certificate; if the second client certificate is the same as the first client certificate, it is determined that the first terminal device 10 and the second terminal device are the same terminal device, and the first device identification is changed to the second device identification.
其中,第二终端设备与第一终端设备10可以是同一设备,也可以是不同的设备。接入设备20可以以与第一终端设备10的第一设备标识相同的方式来获取第二终端设备的第二设备标识。由于客户端证书的唯一性和持久性,接入设备20可以基于第二终端设备的第二设备标识中的第二客户端证书与第一客户端证书是否相同,来确定第二终端设备与第一终端设备10是否为同一终端设备。若在认证接入过程中,第一客户端证书与第一客户端证书相同,但第一MAC地址与第二MAC地址不同,则可以确定第一终端设备10与第二终端设备为同一终端设备,且第一终端设备10的MAC地址发生变化。同样地,若在接入认证完成之后,获取具有相同MAC地址的第一终端设备10和第二终端设备分别具有第一IP地址和第二IP地址,且第一IP地址和第二IP地址不同,则可以确定第一终端设备10与第二终端设备为同一终端设备,且第一终端设备10的IP地址从第一IP地址改变为第二IP地址。The second terminal device and the first terminal device 10 may be the same device or different devices. The access device 20 may obtain the second device identification of the second terminal device in the same manner as the first device identification of the first terminal device 10 . Due to the uniqueness and persistence of the client certificate, the access device 20 can determine whether the second terminal device is the same as the first client certificate based on whether the second client certificate in the second device identification of the second terminal device is the same as the first client certificate. Whether a terminal device 10 is the same terminal device. If during the authentication access process, the first client certificate is the same as the first client certificate, but the first MAC address and the second MAC address are different, it can be determined that the first terminal device 10 and the second terminal device are the same terminal device. , and the MAC address of the first terminal device 10 changes. Similarly, if after the access authentication is completed, the first terminal device 10 and the second terminal device with the same MAC address are obtained and have the first IP address and the second IP address respectively, and the first IP address and the second IP address are different. , it can be determined that the first terminal device 10 and the second terminal device are the same terminal device, and the IP address of the first terminal device 10 is changed from the first IP address to the second IP address.
S204、若识别到第一设备标识改变为第二设备标识,则将第一绑定记录中的第一设备标识替换为第二设备标识以更新为第一绑定记录。S204. If it is recognized that the first device identifier has been changed to the second device identifier, replace the first device identifier in the first binding record with the second device identifier to update the first binding record.
具体地,在识别到第一终端设备10的MAC地址从第一MAC地址改变为第二MAC地址的情况下,可以将第一绑定记录中的第一MAC地址更新为第二MAC地址以更新第一绑定记录,从而确保对第一终端设备10的唯一识别。同样地,在第一终端设备10的IP地址从第一IP地址改变为第二IP地址的情况下,可以将第一绑定记录中的第一IP地址更新为第二IP地址以更新第一绑定记录。在识别到第一终端设备10的MAC地址从第一MAC地址改变为第二MAC地址,且端设备的IP地址从第一IP地址改变为第二IP地址的情况,可以将第一绑定记录中的第一MAC地址更新为第二MAC地址,并将第一IP地址更新为第二IP 地址以生更新第一绑定记录,从而确保对第一终端设备10的唯一识别。Specifically, when it is recognized that the MAC address of the first terminal device 10 changes from the first MAC address to the second MAC address, the first MAC address in the first binding record may be updated to the second MAC address to update The first binding record ensures the unique identification of the first terminal device 10 . Similarly, when the IP address of the first terminal device 10 changes from the first IP address to the second IP address, the first IP address in the first binding record can be updated to the second IP address to update the first IP address. Binding records. When it is recognized that the MAC address of the first terminal device 10 has changed from the first MAC address to the second MAC address, and the IP address of the terminal device has changed from the first IP address to the second IP address, the first binding record can be The first MAC address in is updated to the second MAC address, and the first IP address is updated to the second IP address to update the first binding record, thereby ensuring unique identification of the first terminal device 10 .
本申请实施例中,由于第一终端设备的第一客户端证书的唯一性,即使在第一终端设备的第一设备标识改变为第二设备标识时,也即在第一终端设备的MAC地址从第一MAC地址改变为第二MAC地址以及/或者第一终端设备的IP地址从第一IP地址改变为第二MAC地址时,基于第一终端设备的第一客户端证书可以立即识别上述改变并做出更新,从而唯一且准确地识别设备,提高设备识别的准确度。此外,由于基于第一客户端证书的唯一性和持久性,确保第一绑定记录始终唯一标识第一终端设备,因此在处理诸如设备查询、设备更新、设备合并和设备绑定等业务逻辑时,可以显著降低业务逻辑处理的复杂度,提高工作效率。同时,由于基于第一客户端证书的唯一性和持久性,确保第一绑定记录始终唯一标识第一终端设备,避免了为第一终端设备手动设置其他身份标识来唯一标识第一终端设备,节省了人力成本。In the embodiment of the present application, due to the uniqueness of the first client certificate of the first terminal device, even when the first device identification of the first terminal device is changed to the second device identification, that is, the MAC address of the first terminal device When the first MAC address is changed to the second MAC address and/or the IP address of the first terminal device is changed from the first IP address to the second MAC address, the above changes can be immediately identified based on the first client certificate of the first terminal device. And make updates to uniquely and accurately identify devices and improve device identification accuracy. In addition, since the first binding record is guaranteed to always uniquely identify the first terminal device based on the uniqueness and persistence of the first client certificate, when processing business logic such as device query, device update, device merging, and device binding, etc. , which can significantly reduce the complexity of business logic processing and improve work efficiency. At the same time, due to the uniqueness and persistence of the first client certificate, it is ensured that the first binding record always uniquely identifies the first terminal device, avoiding the need to manually set other identity identifiers for the first terminal device to uniquely identify the first terminal device. Save labor costs.
图6是本申请实施例提供的一种用于确定设备唯一标识的装置的结构示意图。该装置60可以是图1中的接入设备,也可以集成在接入设备中,或者与接入设备通信连接以执行前述方法实施例提供的用于对确定设备唯一标识的方法。如5所示,该装置包括:FIG. 6 is a schematic structural diagram of a device for determining a unique identifier of a device provided by an embodiment of the present application. The device 60 may be the access device in Figure 1, may also be integrated in the access device, or may be communicatively connected with the access device to execute the method for determining the unique identification of the device provided by the foregoing method embodiment. As shown in 5, the device includes:
获取模块601,用于获取第一终端设备的第一设备标识和第一终端设备的第一客户端证书,第一设备标识包括第一MAC地址和第一IP地址;Obtaining module 601 is used to obtain the first device identification of the first terminal device and the first client certificate of the first terminal device, where the first device identification includes the first MAC address and the first IP address;
绑定模块602,用于绑定第一客户端证书与第一设备标识,作为第一绑定记录,第一绑定记录用于唯一标识第一终端设备;The binding module 602 is used to bind the first client certificate and the first device identification as the first binding record, and the first binding record is used to uniquely identify the first terminal device;
识别模块603,用于基于第一客户端证书,识别第一设备标识是否改变为第二设备标识,第二设备标识包括第二MAC地址和第二IP地址,第二MAC地址与第一MAC地址不同,和/或,第二IP地址与第一IP地址不同; Identification module 603, configured to identify whether the first device identity is changed to a second device identity based on the first client certificate. The second device identity includes a second MAC address and a second IP address, and the second MAC address and the first MAC address is different, and/or, the second IP address is different from the first IP address;
更新模块604,用于若识别到所述第一设备标识改变为所述第二设备标识,则将所述第一绑定记录中的第一设备标识替换为第二设备标识以更新为第一绑定记录。 Update module 604, configured to replace the first device identifier in the first binding record with the second device identifier to update it to the first device identifier if it is recognized that the first device identifier has been changed to the second device identifier. Binding records.
在一种可能的实现方式中,识别模块具体用于:In a possible implementation, the identification module is specifically used to:
获取第二终端设备的第二设备标识和第二终端设备的第二客户端证书;Obtain the second device identification of the second terminal device and the second client certificate of the second terminal device;
若第二客户端证书与第一客户端证书相同,则确定第一终端设备与第二终端设备为同一终端设备,且第一设备标识改变为第二设备标识。If the second client certificate is the same as the first client certificate, it is determined that the first terminal device and the second terminal device are the same terminal device, and the first device identification is changed to the second device identification.
在一种可能的实现方式中,获取模块具体用于:In a possible implementation, the acquisition module is specifically used to:
获取第一终端设备的第一设备标识和第一终端设备的第一客户端证书,包括:Obtaining the first device identification of the first terminal device and the first client certificate of the first terminal device includes:
从第一终端设备在接入网络时与接入认证服务器的交互信息中,获取第一终端设备的 MAC地址和客户端证书,分别作为第一MAC地址和第一客户端证书;From the interaction information between the first terminal device and the access authentication server when accessing the network, obtain the MAC address and client certificate of the first terminal device as the first MAC address and the first client certificate respectively;
从第一终端设备在请求IP地址时与DHCP服务器的交互信息中,获取第一终端设备的IP地址,作为第一IP地址。Obtain the IP address of the first terminal device as the first IP address from the interaction information between the first terminal device and the DHCP server when requesting the IP address.
在一种可能的实现方式中,获取模块具体用于:In a possible implementation, the acquisition module is specifically used to:
获取第一终端设备在接入网络时发送的认证接入开始请求;Obtain the authentication access start request sent by the first terminal device when accessing the network;
从认证接入开始请求中获取第一终端设备的MAC地址;Obtain the MAC address of the first terminal device from the authentication access start request;
获取第一终端设备在进行网络认证时向认证服务器发送的接入认证请求;Obtain the access authentication request sent by the first terminal device to the authentication server when performing network authentication;
从接入认证请求中获取第一终端设备的客户端证书。Obtain the client certificate of the first terminal device from the access authentication request.
在一种可能的实现方式中,获取模块具体用于:In a possible implementation, the acquisition module is specifically used to:
获取DHCP服务器响应于第一终端设备的DHCP请求而发送的DHCP响应;Obtaining a DHCP response sent by the DHCP server in response to the DHCP request of the first terminal device;
从DHCP响应中获取第一终端设备的IP地址。Obtain the IP address of the first terminal device from the DHCP response.
本实施例提供的用于确定设备唯一标识的装置用于实现前述多个方法实施例中相应的用于确定设备唯一标识的方法,并具有相应的方法实施例的有益效果,在此不再赘述。此外,本实施例的用于确定设备唯一标识的装置中的各个模块的功能实现均可以参考前述方法实施例中的相应部分的描述,在此不再赘述。The device for determining the unique identifier of the device provided in this embodiment is used to implement the corresponding methods for determining the unique identifier of the device in the multiple method embodiments mentioned above, and has the beneficial effects of the corresponding method embodiments, which will not be described again here. . In addition, for the functional implementation of each module in the device for determining the unique identification of a device in this embodiment, reference can be made to the description of the corresponding part in the foregoing method embodiment, and details will not be described again here.
图7是本申请实施例提供的一种电子设备结构示意图。该电子设备70可以是图1中的接入设备20,也可以集成在该接入设备20中,或者与该接入设备20通信连接以执行前述方法实施例提供的用于对确定设备唯一标识的方法。如图7所示,该电子设备可以包括:处理器702、通信接口704、存储有程序(至少一个可执行指令710)的存储器706、以及通信总线708。FIG. 7 is a schematic structural diagram of an electronic device provided by an embodiment of the present application. The electronic device 70 may be the access device 20 in FIG. 1 , may also be integrated in the access device 20 , or may be communicatively connected with the access device 20 to perform the steps provided by the foregoing method embodiments for determining the unique identification of the device. Methods. As shown in Figure 7, the electronic device may include: a processor 702, a communication interface 704, a memory 706 storing a program (at least one executable instruction 710), and a communication bus 708.
处理器、通信接口、以及存储器通过通信总线完成相互间的通信。The processor, communication interface, and memory communicate with each other through the communication bus.
通信接口,用于与其它电子设备或服务器进行通信。Communication interface, used to communicate with other electronic devices or servers.
处理器,用于执行程序,具体可以执行上述方法实施例中的相关步骤。The processor is used to execute the program. Specifically, it can execute the relevant steps in the above method embodiments.
具体地,程序可以包括程序代码,该程序代码包括计算机操作指令。Specifically, the program may include program code including computer operating instructions.
处理器可能是处理器CPU,或者是特定集成电路ASIC(Application Specific Integrated Circuit),或者是被配置成实施本申请实施例的一个或多个集成电路。智能设备包括的一个或多个处理器,可以是同一类型的处理器,如一个或多个CPU;也可以是不同类型的处理器,如一个或多个CPU以及一个或多个ASIC。The processor may be a processor CPU, or an application specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement embodiments of the present application. The one or more processors included in the smart device can be the same type of processor, such as one or more CPUs; or they can be different types of processors, such as one or more CPUs and one or more ASICs.
存储器,用于存放程序。存储器可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。Memory, used to store programs. The memory may include high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
程序具体可以用于使得处理器执行前述方法实施例中提供的用于确定设备唯一标识的方 法。The program can specifically be used to cause the processor to execute the method for determining the unique identification of the device provided in the foregoing method embodiment.
此外,程序中各步骤的具体实现可以参见上述方法实施例中的相应步骤和单元中对应的描述,在此不赘述。所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的设备和模块的具体工作过程,可以参考前述方法实施例中的对应过程描述,在此不再赘述。In addition, for the specific implementation of each step in the program, please refer to the corresponding steps and corresponding descriptions in the units in the above method embodiments, which will not be described again here. Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the above-described devices and modules can be referred to the corresponding process descriptions in the foregoing method embodiments, and will not be described again here.
需要指出,根据实施的需要,可将本申请实施例中描述的各个部件/步骤拆分为更多部件/步骤,也可将两个或多个部件/步骤或者部件/步骤的部分操作组合成新的部件/步骤,以实现本申请实施例的目的。It should be pointed out that according to the needs of implementation, each component/step described in the embodiments of this application can be split into more components/steps, or two or more components/steps or partial operations of components/steps can be combined into New components/steps to achieve the purpose of the embodiments of this application.
上述根据本申请实施例的方法可在硬件、固件中实现,或者被实现为可存储在记录介质(诸如CD ROM、RAM、软盘、硬盘或磁光盘)中的软件或计算机代码,或者被实现通过网络下载的原始存储在远程记录介质或非暂时机器可读介质中并将被存储在本地记录介质中的计算机代码,从而在此描述的方法可被存储在使用通用计算机、专用处理器或者可编程或专用硬件(诸如ASIC或FPGA)的记录介质上的这样的软件处理。可以理解,计算机、处理器、微处理器控制器或可编程硬件包括可存储或接收软件或计算机代码的存储组件(例如,RAM、ROM、闪存等),当所述软件或计算机代码被计算机、处理器或硬件访问且执行时,实现在此描述的方法。此外,当通用计算机访问用于实现在此示出的方法的代码时,代码的执行将通用计算机转换为用于执行在此示出的方法的专用计算机。The above-mentioned methods according to the embodiments of the present application can be implemented in hardware, firmware, or as software or computer code that can be stored in a recording medium (such as CD ROM, RAM, floppy disk, hard disk or magneto-optical disk), or by The computer code downloaded by the network is originally stored in a remote recording medium or a non-transitory machine-readable medium and will be stored in a local recording medium, so that the method described here can be stored using a general-purpose computer, a special-purpose processor or a programmable computer. or such software processing on a recording medium of dedicated hardware (such as ASIC or FPGA). It will be understood that a computer, processor, microprocessor controller, or programmable hardware includes storage components (e.g., RAM, ROM, flash memory, etc.) that can store or receive software or computer code when the software or computer code is used by the computer, When accessed and executed by a processor or hardware, the methods described herein are implemented. Furthermore, when a general-purpose computer accesses code for implementing the methods illustrated herein, execution of the code converts the general-purpose computer into a special-purpose computer for performing the methods illustrated herein.
本申请实施例还提供一种计算机可读存储介质,其上存储有计算机可执行指令,其中,所述计算机可执行指令在被执行时使所述处理器执行前述方法实施例中任一项所述的方法。其具有与前述方法实施例相同的工作原理和技术效果。为避免赘述,此处不再详细说明。Embodiments of the present application also provide a computer-readable storage medium on which computer-executable instructions are stored, wherein when executed, the computer-executable instructions cause the processor to perform any of the foregoing method embodiments. method described. It has the same working principle and technical effect as the aforementioned method embodiment. To avoid redundancy, details will not be explained here.
上文通过附图和优选实施例对本发明进行了详细展示和说明,然而本发明不限于这些已揭示的实施例,基与上述多个实施例本领域技术人员可以知晓,可以组合上述不同实施例中的代码审核手段得到本发明更多的实施例,这些实施例也在本发明的保护范围之内。The present invention has been shown and described in detail through the drawings and preferred embodiments above. However, the present invention is not limited to these disclosed embodiments. Based on the above-mentioned multiple embodiments, those skilled in the art will know that the above-mentioned different embodiments can be combined. The code review means in the method can lead to more embodiments of the present invention, and these embodiments are also within the protection scope of the present invention.

Claims (10)

  1. 一种用于确定设备唯一标识的方法,包括:A method for determining a device's unique identifier, including:
    获取第一终端设备的第一设备标识和所述第一终端设备的第一客户端证书(S201),所述第一设备标识包括第一MAC地址和第一IP地址;Obtain a first device identification of the first terminal device and a first client certificate of the first terminal device (S201), where the first device identification includes a first MAC address and a first IP address;
    绑定所述第一客户端证书与所述第一设备标识,作为第一绑定记录(S202),所述第一绑定记录用于唯一标识所述第一终端设备;Bind the first client certificate and the first device identification as a first binding record (S202), the first binding record is used to uniquely identify the first terminal device;
    基于所述第一客户端证书,识别所述第一设备标识是否改变为第二设备标识(S203),其中所述第二设备标识包括第二MAC地址和第二IP地址,所述第二MAC地址与所述第一MAC地址不同,和/或,所述第二IP地址与所述第一IP地址不同;Based on the first client certificate, identify whether the first device identification is changed to a second device identification (S203), where the second device identification includes a second MAC address and a second IP address, and the second MAC The address is different from the first MAC address, and/or the second IP address is different from the first IP address;
    若识别到所述第一设备标识改变为所述第二设备标识,则将所述第一绑定记录中的第一设备标识替换为第二设备标识以更新为所述第一绑定记录(S204)。If it is recognized that the first device identification has been changed to the second device identification, the first device identification in the first binding record is replaced with the second device identification to update to the first binding record ( S204).
  2. 根据权利要求1所述的方法,其特征在于,所述基于所述第一客户端证书,识别所述第一设备标识是否改变为第二设备标识(S203),包括:The method of claim 1, wherein identifying whether the first device identity is changed to a second device identity based on the first client certificate (S203) includes:
    获取所述第二终端设备的所述第二设备标识和所述第二终端设备的第二客户端证书;Obtain the second device identification of the second terminal device and the second client certificate of the second terminal device;
    若所述第二客户端证书与所述第一客户端证书相同,则确定所述第一终端设备与所述第二终端设备为同一终端设备,且所述第一设备标识改变为所述第二设备标识。If the second client certificate is the same as the first client certificate, it is determined that the first terminal device and the second terminal device are the same terminal device, and the first device identification is changed to the third terminal device. 2. Equipment identification.
  3. 根据权利要求1或2所述的方法,其特征在于,所述获取第一终端设备的第一设备标识和所述第一终端设备的第一客户端证书,包括:The method according to claim 1 or 2, characterized in that said obtaining the first device identification of the first terminal device and the first client certificate of the first terminal device includes:
    从所述第一终端设备在接入网络时与认证服务器的交互信息中,获取所述第一终端设备的MAC地址和客户端证书,分别作为所述第一MAC地址和所述第一客户端证书;From the interaction information between the first terminal device and the authentication server when accessing the network, the MAC address and client certificate of the first terminal device are obtained as the first MAC address and the first client certificate respectively. Certificate;
    从所述第一终端设备在请求IP地址时与DHCP服务器的交互信息中,获取所述第一终端设备的IP地址,作为所述第一IP地址。The IP address of the first terminal device is obtained as the first IP address from the interaction information between the first terminal device and the DHCP server when requesting the IP address.
  4. 根据权利要求3所述的方法,其特征在于,所述从所述第一终端设备在接入网络时与认证服务器的交互信息中,获取所述第一终端设备的MAC地址和客户端证书,分别作为所述第一MAC地址和所述第一客户端证书,包括:The method according to claim 3, characterized in that the MAC address and client certificate of the first terminal device are obtained from the interaction information between the first terminal device and the authentication server when accessing the network, As the first MAC address and the first client certificate respectively, include:
    获取所述第一终端设备在接入网络时发送的认证接入开始请求;Obtain the authentication access start request sent by the first terminal device when accessing the network;
    从所述认证接入开始请求中获取所述第一终端设备的MAC地址,作为所述第一MAC地址;Obtain the MAC address of the first terminal device from the authentication access start request as the first MAC address;
    获取所述第一终端设备在进行网络认证时向所述认证服务器发送的接入认证请求;Obtain the access authentication request sent by the first terminal device to the authentication server when performing network authentication;
    从所述接入认证请求中获取所述第一终端设备的客户端证书,作为所述第一客户端证书。Obtain the client certificate of the first terminal device from the access authentication request as the first client certificate.
  5. 根据权利要求3所述的方法,其特征在于,所述从所述第一终端设备在请求IP地址时与DHCP服务器的交互信息中,获取所述第一终端设备的IP地址,作为所述第一IP地址,包括:The method of claim 3, wherein the IP address of the first terminal device is obtained from the interaction information between the first terminal device and the DHCP server when requesting the IP address as the third terminal device. An IP address, including:
    获取所述DHCP服务器响应于所述第一终端设备的DHCP请求而发送的DHCP响应;Obtaining a DHCP response sent by the DHCP server in response to the DHCP request of the first terminal device;
    从所述DHCP响应中获取所述第一终端设备的IP地址,作为所述第一IP地址。Obtain the IP address of the first terminal device from the DHCP response as the first IP address.
  6. 一种用于确定设备唯一标识的装置,包括:A device for determining the unique identification of equipment, including:
    获取模块(601),用于获取所述第一终端设备的第一设备标识和所述第一终端设备的第一客户端证书,所述第一设备标识包括第一MAC地址和第一IP地址;Obtaining module (601), configured to obtain a first device identification of the first terminal device and a first client certificate of the first terminal device, where the first device identification includes a first MAC address and a first IP address. ;
    绑定模块(602),用于绑定所述第一客户端证书与所述第一设备标识,作为第一绑定记录,所述第一绑定记录用于唯一标识所述第一终端设备;Binding module (602), configured to bind the first client certificate and the first device identification as a first binding record, the first binding record being used to uniquely identify the first terminal device ;
    识别模块(603),用于基于所述第一客户端证书,识别所述第一设备标识是否改变为第二设备标识,其中所述第二设备标识包括第二MAC地址和第二IP地址,所述第二MAC地址与所述第一MAC地址不同,和/或,所述第二IP地址与所述第一IP地址不同;An identification module (603), configured to identify whether the first device identification is changed to a second device identification based on the first client certificate, where the second device identification includes a second MAC address and a second IP address, The second MAC address is different from the first MAC address, and/or the second IP address is different from the first IP address;
    更新模块(604),用于若识别到所述第一设备标识改变为所述第二设备标识,则将所述第一绑定记录中的第一设备标识替换为第二设备标识以更新为第一绑定记录。Update module (604), configured to, if it is recognized that the first device identification has changed to the second device identification, replace the first device identification in the first binding record with the second device identification to update to First binding record.
  7. 根据权利要求6所述的装置,其特征在于,所述识别模块(603)具体用于:The device according to claim 6, characterized in that the identification module (603) is specifically used to:
    获取所述第二终端设备的所述第二设备标识和所述第二终端设备的第二客户端证书;Obtain the second device identification of the second terminal device and the second client certificate of the second terminal device;
    若所述第二客户端证书与所述第一客户端证书相同,则确定所述第一终端设备与所述第二终端设备为同一终端设备,且所述第一设备标识改变为所述第二设备标识。If the second client certificate is the same as the first client certificate, it is determined that the first terminal device and the second terminal device are the same terminal device, and the first device identification is changed to the third terminal device. 2. Equipment identification.
  8. 根据权利要求7所述的装置,其特征在于,所述获取模块(602)具体用于:The device according to claim 7, characterized in that the acquisition module (602) is specifically used to:
    获取第一终端设备的第一设备标识和所述第一终端设备的第一客户端证书,包括:Obtaining the first device identification of the first terminal device and the first client certificate of the first terminal device includes:
    从所述第一终端设备在接入网络时与认证服务器的交互信息中,获取所述第一终端设备的MAC地址和客户端证书,分别作为所述第一MAC地址和所述第一客户端证书;From the interaction information between the first terminal device and the authentication server when accessing the network, the MAC address and client certificate of the first terminal device are obtained as the first MAC address and the first client certificate respectively. Certificate;
    从所述第一终端设备在请求IP地址时与DHCP服务器的交互信息中,获取所述第一终端设备的IP地址,作为所述第一IP地址。The IP address of the first terminal device is obtained as the first IP address from the interaction information between the first terminal device and the DHCP server when requesting the IP address.
  9. 一种电子设备,包括:处理器(702)、存储器(706)、通信接口(704)和通信总线(708),所述处理器、所述存储器和所述通信接口通过所述通信总线完成相互间的通信;所述存储器用于存放至少一可执行指令(710),所述可执行指令使所述处理器执行如权利要求1-5中任一项所述的方法对应的操作。An electronic device includes: a processor (702), a memory (706), a communication interface (704) and a communication bus (708). The processor, the memory and the communication interface complete each other through the communication bus. communication between; the memory is used to store at least one executable instruction (710), the executable instruction causes the processor to perform operations corresponding to the method described in any one of claims 1-5.
  10. 一种计算机可读存储介质,其上存储有计算机可执行指令,其中,所述计算机可执行指令在被执行时使所述处理器执行根据权利要求1至5中任一项所述的方法。A computer-readable storage medium having computer-executable instructions stored thereon, wherein the computer-executable instructions, when executed, cause the processor to perform the method according to any one of claims 1 to 5.
PCT/CN2022/116362 2022-08-31 2022-08-31 Method and apparatus for determining unique identifier of device, and electronic device WO2024045092A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/116362 WO2024045092A1 (en) 2022-08-31 2022-08-31 Method and apparatus for determining unique identifier of device, and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/116362 WO2024045092A1 (en) 2022-08-31 2022-08-31 Method and apparatus for determining unique identifier of device, and electronic device

Publications (1)

Publication Number Publication Date
WO2024045092A1 true WO2024045092A1 (en) 2024-03-07

Family

ID=90100013

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/116362 WO2024045092A1 (en) 2022-08-31 2022-08-31 Method and apparatus for determining unique identifier of device, and electronic device

Country Status (1)

Country Link
WO (1) WO2024045092A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1416239A (en) * 2001-10-31 2003-05-07 华为技术有限公司 Method for switching in virtual local area network of the access network with mixed optical fiber and coaxial line
US20060025135A1 (en) * 2004-07-28 2006-02-02 Jeyhan Karaoguz Mobile handoff through multi-network simulcasting
CN103973456A (en) * 2014-05-29 2014-08-06 深圳市密思科技有限公司 Small district management system and method based on digital certificates
CN104468862A (en) * 2014-12-15 2015-03-25 北京奇虎科技有限公司 IP address binding method, device and system
US20180034797A1 (en) * 2016-07-26 2018-02-01 International Business Machines Corporation System and method for providing persistent user identification

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1416239A (en) * 2001-10-31 2003-05-07 华为技术有限公司 Method for switching in virtual local area network of the access network with mixed optical fiber and coaxial line
US20060025135A1 (en) * 2004-07-28 2006-02-02 Jeyhan Karaoguz Mobile handoff through multi-network simulcasting
CN103973456A (en) * 2014-05-29 2014-08-06 深圳市密思科技有限公司 Small district management system and method based on digital certificates
CN104468862A (en) * 2014-12-15 2015-03-25 北京奇虎科技有限公司 IP address binding method, device and system
US20180034797A1 (en) * 2016-07-26 2018-02-01 International Business Machines Corporation System and method for providing persistent user identification

Similar Documents

Publication Publication Date Title
US20190007316A1 (en) Controller for software defined network
EP1796342B1 (en) A method for transmitting requests
TWI478564B (en) Method, computer-readable storage medium, and apparatus for secure resource name resolution
US10250646B2 (en) Method and device for establishing channel
US7337224B1 (en) Method and apparatus providing policy-based determination of network addresses
WO2021057889A1 (en) Data processing method and apparatus, electronic device, and storage medium
CN113472817B (en) Gateway access method and device for large-scale IPSec and electronic equipment
WO2019170114A1 (en) Method for sending packet, network device, and computer-readable storage medium
US11418951B2 (en) Method for identifying encrypted data stream, device, storage medium and system
US20080205388A1 (en) Discovery of network devices logically located between a client and a service
US11178230B1 (en) Dynamically managing keepalive status for client-server connections
WO2021197375A1 (en) Roaming networking processing method, apparatus, mobile terminal and readable storage medium
JP7476366B2 (en) Relay method, relay system, and relay program
WO2014188233A1 (en) Methods and systems for dynamic domain name system (ddns)
CN107040389A (en) Result for authentication, authorization, accounting agreement is reported
WO2022116850A1 (en) Method and device for identifying private network user, service system, and storage medium
US20120300776A1 (en) Method for creating virtual link, communication network element, and ethernet network system
WO2024045092A1 (en) Method and apparatus for determining unique identifier of device, and electronic device
CN113364660A (en) Data packet processing method and device in LVS load balancing
CN108123807B (en) System and method for tracing user identity in broadband network
CN111030914B (en) Data transmission method and data transmission system
US20230379295A1 (en) Domain name system analysis on edge network devices
WO2023134557A1 (en) Processing method and apparatus based on industrial internet identifier
WO2017219777A1 (en) Packet processing method and device
TWI727268B (en) Access device for physical link analysis and method thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22956918

Country of ref document: EP

Kind code of ref document: A1