CN106411580A

CN106411580A - Device management client and server, and device management methods

Info

Publication number: CN106411580A
Application number: CN201610825976.1A
Authority: CN
Inventors: 林赞荣
Original assignee: Nubia Technology Co Ltd
Current assignee: Nubia Technology Co Ltd
Priority date: 2016-09-14
Filing date: 2016-09-14
Publication date: 2017-02-15

Abstract

The present invention provides a device management client and server, and device management methods. A service operation request is initiated to the device management server, wherein the service operation request carries account information of a terminal; the device management server authenticates the account information, generates an access ticket, a first secret key and a second secret key that are corresponding to each other after authentication succeeds, and sends the access ticket and the first secret key to the device management client; after service data is encrypted by using the first secret key, the access ticket and the service data are sent to the device management server for service operation processing. According to the device management client and server, and the device management methods, encryption in the device management process is realized, and the first secret key and the second secret key are combined for encryption, so that the security is greatly improved.

Description

Facility management client, server and device management method

Technical field

The present invention relates to communication technical field, more particularly, it relates to a kind of facility management client, server and equipment Management method.

Background technology

With the development of technology of Internet of things, smart machine such as smart home, wearable device, intelligent vehicle-carried and legacy equipment Intellectuality is following development trend.The intelligence degree of equipment is higher, and the content of equipment control is more, including firmware upgrade, Software management, diagnosis and monitoring etc..Because the function of equipment control is more and more abundanter, major part is related to the privacy of user, Generally require to ensure the security of data interaction by way of encryption.Or however, the mistake do not encrypted in prior art Journey, or the key of encryption is all encrypted using unified key, security is very low.

Content of the invention

The technical problem to be solved in the present invention is how to avoid the single cipher mode of key in equipment control to be carried The low problem of next security；For this technical problem, provide a kind of facility management client, including：

First sending module, for initiating service operations request to device management server, in described service operations request The account information of carried terminal；

First receiver module, for receiving the access that described device management server obtains according to described service operations request Voucher and first key；

Second sending module, sends for the business datum by described access credentials and after the encryption of described first key To described device management server.

Optionally, described service operations request includes service and enables strategy request or service shutdown strategy request；Described clothes Business enables that strategy request at least includes COS and service enables opportunity.

Optionally, described account information at least includes account and password；Or, described account information include account, password with And equipment unique mark.

Additionally, also providing a kind of device management server, including：

Second receiver module, the service operations request sending for receiving device management client, described service operations please Seek the account information of middle carried terminal；

Generation module, for, after described account information authentication is passed through, generating according to described service operations request and accessing Voucher, first key and the second key, wherein said access credentials, first key and the second key are in correspondence with each other；

3rd sending module, for being sent to described facility management client by described access credentials and first key；

3rd receiver module, for the business number after receiving the access credentials of described facility management client transmission and encrypting According to carrying out service operations process.

Optionally, described 3rd receiver module is used for：Receive the access credentials of described device management server transmission and add Parameter information after close；Judge whether described access credentials are legal；After judging that described access credentials are legal, search with described Corresponding second key of access credentials is decrypted to the business datum after described encryption.

Additionally, also providing a kind of device management method, including：

Initiate service operations request to device management server, the account letter of carried terminal in described service operations request Breath；

Receive access credentials and the first key that described device management server asks to obtain according to described service operations；

Business datum by described access credentials and after the encryption of described first key is sent to described equipment control clothes Business device.

Additionally, also providing a kind of device management method, including：

The service operations request that receiving device management client sends, the account of carried terminal in described service operations request Information；

After described account information authentication is passed through, ask to generate access credentials, first key according to described service operations With the second key, wherein said access credentials, first key and the second key are in correspondence with each other；

Described access credentials first key is sent to described facility management client；

Business datum after the access credentials of receiving device management client transmission and encryption, carries out service operations process.

Optionally, the business datum after described receiving device management client sends access credentials and encryption, is taken Business operation processes and includes：Parameter information after receiving the access credentials of described device management server transmission and encrypting；Judge to visit Ask whether voucher is legal；After judging that described access credentials are legal, search second key corresponding with described access credentials, to institute State the business datum after encryption to be decrypted.

Additionally, also providing a kind of mobile terminal, including aforesaid facility management client.

Additionally, also providing a kind of server, including aforesaid device management server.

Beneficial effect

The invention provides a kind of facility management client, server and device management method, to device management server Initiate service operations request, the account information of carried terminal in service operations request, device management server enters to account information Row authentication, and in authentication by rear generation access credentials in correspondence with each other, first key and the second key, by access credentials and the One key is sent to facility management client, after business datum being encrypted by first key, by access credentials and business Data is activation, to device management server, carries out service operations process.By the enforcement of the present invention it is achieved that to equipment control Encryption in journey, and be encrypted in groups by first key and the second key, it has been obviously improved security.

Brief description

Below in conjunction with drawings and Examples, the invention will be further described, in accompanying drawing：

Fig. 1 is the hardware architecture diagram realizing the optional mobile terminal of each embodiment of the present invention one；

Fig. 2 is the hardware architecture diagram realizing the optional server of each embodiment of the present invention one；

The facility management client composition schematic diagram that Fig. 3 provides for first embodiment of the invention；

The device management server composition schematic diagram that Fig. 4 provides for second embodiment of the invention；

The equipment management system composition schematic diagram that Fig. 5 provides for third embodiment of the invention；

The device management method flow chart that Fig. 6 provides for fourth embodiment of the invention；

The device management method flow chart that Fig. 7 provides for fifth embodiment of the invention.

Specific embodiment

It should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.

Realize the mobile terminal of each embodiment of the present invention referring now to Description of Drawings.In follow-up description, use For represent element " unit " suffix only for being conducive to the explanation of the present invention, itself do not have specific meaning.

Mobile terminal can be implemented in a variety of manners.For example, the terminal described in the present invention can include such as moving Phone, smart phone, notebook computer, digit broadcasting receiver, PDA (personal digital assistant), PAD (panel computer), PMP The mobile terminal of (portable media player), guider etc. and such as numeral TV, desktop computer etc. consolidate Determine terminal.Hereinafter it is assumed that terminal is mobile terminal, however, it will be understood by those skilled in the art that, except being used in particular for moving Outside the element of purpose, construction according to the embodiment of the present invention can also apply to the terminal of fixed type.The present embodiment In mobile terminal can realize the facility management client in various embodiments of the present invention.

Fig. 1 is the hardware architecture diagram realizing the optional mobile terminal of each embodiment of the present invention one.

Mobile terminal 1 00 can include wireless communication unit 110, A/V (audio/video) input block 120, user input Unit 130, sensing unit 140, output unit 150, memory 160, interface unit 170, controller 180 and power subsystem 190 Etc..Fig. 1 shows the mobile terminal with various assemblies, it should be understood that being not required for implementing all groups illustrating Part, can alternatively implement more or less of assembly, will be discussed in more detail below the element of mobile terminal.

Wireless communication unit 110 generally includes one or more assemblies, and it allows mobile terminal 1 00 and wireless communication system Or the radio communication between network.For example, wireless communication unit can include mobile comm unit 112, wireless Internet list At least one of unit 113, short-range communication unit 114 and positional information unit 115.

Mobile comm unit 112 sends radio signals to base station (for example, access point etc.), exterior terminal and clothes Business at least one of device and/or receive from it radio signal.Such radio signal can include voice call signal, Video calling signal or the various types of data sending and/or receiving according to text and/or Multimedia Message.

Wireless interconnected net unit 113 supports the Wi-Fi (Wireless Internet Access) of mobile terminal.This unit can be internally or externally It is couple to terminal.Wi-Fi (Wireless Internet Access) technology involved by this unit can include WLAN (WLAN) (Wi-Fi), Wibro (WiMAX), Wimax (worldwide interoperability for microwave accesses), HSDPA (high-speed downlink packet access) etc..

Short-range communication unit 114 is the unit for supporting junction service.Some examples of short-range communication technology include indigo plant Tooth TM, RF identification (RFID), Infrared Data Association (IrDA), ultra broadband (UWB), purple honeybee TM etc..

Positional information unit 115 be for check or obtain mobile terminal positional information unit.Positional information unit Typical case be GPS (global positioning system).According to current technology, GPS unit 115 calculates and is derived from three or more satellites Range information and correct time information and for the Information application triangulation calculating, thus according to longitude, latitude Highly accurately calculate three-dimensional current location information.Currently, the method for calculating position and temporal information is defended using three Star and the error of the position that calculates by using other satellite correction and temporal information.Additionally, GPS unit 115 Can be by Continuous plus current location information in real time come calculating speed information.

A/V input block 120 is used for receiving audio or video signal.A/V input block 120 can include camera 121 He Microphone 1220, camera 121 is to the static map being obtained by image capture apparatus in Video Capture pattern or image capture mode The view data of piece or video is processed.Picture frame after process may be displayed on display unit 151.At camera 121 Picture frame after reason can be stored in memory 160 (or other storage medium) or carry out via wireless communication unit 110 Send, two or more cameras 121 can be provided according to the construction of mobile terminal.Microphone s122 can be in telephone relation mould Sound (voice data) is received via microphone in formula, logging mode, speech recognition mode etc. operational mode, and can be by Such acoustic processing is voice data.Audio frequency (voice) data after process can be changed in the case of telephone calling model For can be sent to the form output of mobile communication base station via mobile comm unit 112.Microphone 122 can implement all kinds Noise eliminate (or suppression) algorithm with eliminate (or suppression) receive and the noise that produces during sending audio signal or Person disturbs.

User input unit 130 can generate key input data to control each of mobile terminal according to the order of user input Plant operation.User input unit 130 allows the various types of information of user input, and can include keyboard, metal dome, touch Plate (for example, detection due to touched and lead to resistance, pressure, the change of electric capacity etc. sensitive component), roller, rocking bar etc. Deng.Especially, when touch pad is superimposed upon on display unit 151 as a layer, touch-screen can be formed.

Sensing unit 140 detect mobile terminal 1 00 current state, (for example, mobile terminal 1 00 open or close shape State), the position of mobile terminal 1 00, user is for the presence or absence of the contact (that is, touch input) of mobile terminal 1 00, mobile terminal 100 orientation, the acceleration or deceleration movement of mobile terminal 1 00 and direction etc., and generate for controlling mobile terminal 1 00 The order of operation or signal.For example, when mobile terminal 1 00 is embodied as sliding-type mobile phone, sensing unit 140 can sense This sliding-type phone opens or cuts out.In addition, sensing unit 140 can detect power subsystem 190 whether provide electric power or Whether person's interface unit 170 is coupled with external device (ED).Sensing unit 140 can include light sensor 141.

Interface unit 170 is connected, with mobile terminal 1 00, the interface that can pass through as at least one external device (ED).For example, External device (ED) can include wired or wireless head-band earphone port, external power source (or battery charger) port, wired or nothing Line FPDP, memory card port, the port of device for connection with recognition unit, audio input/output (I/O) end Mouth, video i/o port, ear port etc..Recognition unit can be storage for verifying that user uses each of mobile terminal 1 00 Kind of information and user identification unit (UIM), client's recognition unit (SIM), Universal Subscriber recognition unit (USIM) can be included Etc..In addition, the device (hereinafter referred to as " identifying device ") with recognition unit can take the form of smart card, therefore, know Other device can be connected with mobile terminal 1 00 via port or other attachment means.Interface unit 170 can be used for reception and is derived from The input (for example, data message, electric power etc.) of the external device (ED) and input receiving is transferred in mobile terminal 1 00 One or more elements or can be used for transmission data between mobile terminal and external device (ED).

In addition, when mobile terminal 1 00 is connected with external base, interface unit 170 can serve as allowing by it by electricity Power provides the path of mobile terminal 1 00 from base or can serve as allowing the various command signals from base input to pass through it It is transferred to the path of mobile terminal.May serve as identifying that mobile terminal is from the various command signals of base input or electric power The no signal being accurately fitted within base.Output unit 150 is configured to defeated with the offer of vision, audio frequency and/or tactile manner Go out signal (for example, audio signal, vision signal, alarm signal, vibration signal etc.).

Output unit 150 can include display unit 151, audio output unit 152 etc..

Display unit 151 may be displayed on the information processing in mobile terminal 1 00.For example, when mobile terminal 1 00 is in electricity During words call mode, display unit 151 can show (for example, text messaging, the multimedia file that communicate with call or other Download etc.) related user interface (UI) or graphic user interface (GUI).When mobile terminal 1 00 is in video calling pattern Or during image capture mode, display unit 151 can show the image of capture and/or the image of reception, illustrate video or figure UI or GUI of picture and correlation function etc..

Meanwhile, when display unit 151 and the touch pad touch-screen with formation superposed on one another as a layer, display unit 151 can serve as input unit and output device.Display unit 151 can include liquid crystal display (LCD), thin film transistor (TFT) In LCD (TFT-LCD), Organic Light Emitting Diode (OLED) display, flexible display, three-dimensional (3D) display etc. at least A kind of.Some in these displays may be constructed such that transparence to allow user from outside viewing, and this is properly termed as transparent Display, typical transparent display can be, for example, TOLED (transparent organic light emitting diode) display etc..According to specific The embodiment wanted, mobile terminal 1 00 can include two or more display units (or other display device), for example, moves Dynamic terminal can include outernal display unit (not shown) and inner display unit (not shown).Touch-screen can be used for detection and touches Input pressure and touch input position and touch input area.

Audio output unit 152 can mobile terminal be in call signal reception pattern, call mode, logging mode, When under the isotypes such as speech recognition mode, broadcast reception mode, that wireless communication unit 110 is received or in memory 160 The voice data transducing audio signal of middle storage and be output as sound.And, audio output unit 152 can provide and move The audio output (for example, call signal receives sound, message sink sound etc.) of the specific function correlation of terminal 100 execution. Audio output unit 152 can include loudspeaker, buzzer etc..

Memory 160 can store software program of the process being executed by controller 180 and control operation etc., or can Temporarily to store oneself data (for example, telephone directory, message, still image, video etc.) through exporting or will export.And And, memory 160 can be to store the vibration of various modes with regard to exporting and audio signal when touching and being applied to touch-screen Data.

Memory 160 can include the storage medium of at least one type, and described storage medium includes flash memory, hard disk, many Media card, card-type memory (for example, SD or DX memory etc.), random access storage device (RAM), static random-access storage Device (SRAM), read-only storage (ROM), Electrically Erasable Read Only Memory (EEPROM), programmable read only memory (PROM), magnetic storage, disk, CD etc..And, mobile terminal 1 00 can execute memory with by network connection The network storage device cooperation of 160 store function.

Controller 180 generally controls the overall operation of mobile terminal.For example, controller 180 execution and voice call, data The related control of communication, video calling etc. and process.In addition, controller 180 can be included for reproducing (or playback) many matchmakers The multimedia unit 181 of volume data, multimedia unit 181 can construct in controller 180, or it is so structured that and controls Device 180 separates.Controller 180 can be with execution pattern identifying processing, by the handwriting input executing on the touchscreen or picture Draw input and be identified as character or image.

Power subsystem 190 receives external power or internal power under the control of controller 180 and provides operation each unit Suitable electric power needed for part and assembly.

Various embodiment described herein can be with using such as computer software, hardware or its any combination of calculating Machine computer-readable recording medium is implementing.Hardware is implemented, embodiment described herein can be by using application-specific IC (ASIC), digital signal processor (DSP), digital signal processing device (DSPD), programmable logic device (PLD), scene can Program gate array (FPGA), processor, controller, microcontroller, microprocessor, be designed to execute function described herein At least one in electronic unit implementing, in some cases, can be implemented in controller 180 by such embodiment. Software is implemented, the embodiment of such as process or function can with allow to execute the single of at least one function or operation Software unit is implementing.Software code can be come by the software application (or program) write with any suitable programming language Implement, software code can be stored in memory 160 and be executed by controller 180.

So far, oneself is through describing mobile terminal according to its function.Below, for the sake of brevity, will describe such as folded form, Slide type mobile terminal in various types of mobile terminals of board-type, oscillating-type, slide type mobile terminal etc. is as showing Example.Therefore, the present invention can be applied to any kind of mobile terminal, and is not limited to slide type mobile terminal.

As shown in Figure 1 mobile terminal 1 00 may be constructed such that using via frame or packet transmission data all if any Line and wireless communication system and satellite-based communication system are operating.

As shown in Fig. 2 being the structural representation realizing the optional server of each embodiment of the present invention one, this server At least include：Input and output (IO) bus 21, processor 22, memory 23, internal memory 24 and communicator 25.Wherein,

Input and output (IO) bus 21 respectively with other parts of the server belonging to itself (processor 22, memory 23, Internal memory 24 and communicator 25) connect, and provide transmission lines for other parts.

Processor 22 generally controls the overall operation of the server belonging to itself.For example, processor 22 execution calculates and true The operation such as recognize.Wherein, processor 22 can be central processing unit (CPU).

Memory 23 storage processor is readable, the executable software code of processor, and it comprises for control process device 22 The instruction (i.e. software perform function) of execution functions described herein.

Wherein, in the device management server that the present invention provides, the second receiver module, generation module, the 3rd transmission are realized Module, the software code of the function of the 3rd receiver module are storable in memory 23, and after being executed or compiled by processor 22 Execution.

Internal memory 24, typically adopts semiconductor memory cell, including random access memory (RAM), read-only storage (ROM), with And cache (CACHE), RAM is most important of which memory.Internal memory 14 is one of important part in computer, and it is The bridge linked up with CPU22, the operation of all programs in computer is carried out all in internal memory, and its effect is for temporary Operational data in Shi Cunfang CPU22, and the data exchanging with external memory storages such as hard disks, as long as computer is in operation, CPU22 will be transferred to the data needing computing in internal memory and enter row operation, and after the completion of computing, result is sent out by CPU22 again Come, the operation of internal memory also determines the stable operation of computer.

Communicator 25, generally includes one or more assemblies, and it allows server and radio communication system belonging to itself Radio communication between system or network.

It is described in detail below by way of specific embodiment.

First embodiment

With reference to Fig. 3, the facility management client module diagram that Fig. 3 provides for first embodiment of the invention.

Facility management client in the present embodiment includes：

First sending module 301, for initiating service operations request to device management server, takes in service operations request The account information of tape terminal；

First receiver module 302, the access credentials being obtained according to service operations request for receiving device management server And first key；

Second sending module 303, is sent to for the business datum by access credentials and after first key encryption and sets Standby management server.

Facility management client is generally positioned in terminal, and as the gateway of terminal management, terminal passes through equipment control Client is interacted with device management server, realizes the equipment Management Function of terminal；Wherein, the equipment control of terminal is permissible Including：Firmware upgrade, software management, diagnosis and monitoring, connectedness, capacity of equipment, locking and erasing etc. content.

Firmware upgrade, the mainly application software of more new equipment, this is to be carried out by the production firm of equipment, equipment Hardware generally will not change, and repaired based on the bug of being suitable for of New function, legacy version, regular maintenance etc., if Often appearance periodically or non-periodically updates standby software.

Software manage, can Remote Installation, deletions, startups, closing and retrieve application software, be directed primarily to equipment control In remote management software function.

Diagnosis and monitor, then be the state of monitor terminal, include management and monitor RF (Radio Frequency, wirelessly penetrates Frequently) setting, battery status, internal memory use, process list etc., just whether the ruuning situation that may be referred to terminal from these information Often, if need to be adjusted, if more application processes etc. can be born.

Connectedness, then refer to the relative parameters setting of the network connection situation of terminal, management cellular network and base band ginseng Number, APN, CDMA, LTE etc..

Capacity of equipment is it is allowed to the peripheral member of the long-range activated terminals of management organization or terminal, such as encryption arrange, image Head, bluetooth, GPS etc..

Locking and wiping, this functionality applies in general to that terminal is stolen, is sold, when corrupted data, Telelock Determine or erasing apparatus, wherein erasing can also referred to as format, or the access right closed a terminal, or removing terminal In all data, or both are performed both by.

Each above-mentioned equipment Management Function, in the present embodiment all can be used as the part in service operations request；Its In, these equipment Management Functions belong to service and enable strategy, corresponding thereto, also service shutdown strategy, wherein as clothes The service of business device operation requests enables that strategy request at least includes COS and service enables opportunity, COS and above-mentioned Each equipment Management Function, and service enables opportunity and then refers to each above-mentioned equipment Management Function and when enabling or closing, bag Include：Enable under WIFI, that is, terminal enables when accessing wireless network；Night enables, can arrange the initial time enabling and at the end of Between；Enable when idle, that is, terminal is not user-operably, situations such as do not have the application that non-default is run to be in operation etc. in terminal； Automatically execute, confirm without user, just directly executed by rear in service operations request；User executes after confirming, in service behaviour After passing through as request, execute again after user confirms.

First sending module 301 is used for initiating service operations request to device management server, takes in service operations request The account information of tape terminal.Wherein, account information at least can include account and password, or, can include account, password with And equipment unique mark.Wherein, when account is that terminal carries out equipment control by device management server, required voucher, be User is registered in advance and obtains, and password is then corresponding with account, and wherein, password can be that clear-text passwords enters together with other specification Value after row md5 encryption.Equipment unique mark, then can be equipment I MEI (International Mobile Equipment Identity, International Mobile Station Equipment Identification), each terminal corresponds to a mark, is not in the situation of repetition, that is, Say, a corresponding terminal can uniquely be determined by IMEI value.When initiating service operations request, in service operations request Carry account information, to ensure that device management server can uniquely determine the corresponding terminal of this service operations request, so that Carry out follow-up process.

First receiver module 302 be used for access credentials that receiving device management server obtains according to service operations request with And first key.Device management server after receiving the service operations request that terminal sent, first, equipment control service Device can carry out authentication operations to the account information in service operations request, judge whether this account information has permission and carry out this service The relative set of operation requests.Wherein, authority here can include：The account information of terminal to report is legal, and, eventually Asked service is held to be allowed.When account information includes the IMEI value of terminal, also include：Judge account, password and Whether this IMEI value mates, and that is, whether this account and password are corresponding with IMEI value.

If authentication is not passed through it is clear that device management server will terminate the service operations request of this terminal；And such as Fruit authentication is passed through, and represents that the account information that terminal provides meets corresponding condition, then, device management server is just according to end Hold initiated service operations request, generate and ask corresponding access credentials, first key and the second key with this service operations, Wherein, access credentials, first key, between the second key in correspondence with each other.Access credentials are that subsequent terminal will be taken with equipment control The business voucher that interacts of device, can be according to server address, user profile, client ip ground it is also possible to referred to as TokenID Location, timestamp etc. form；Wherein, the device management server that server address just refers to address in a network, user profile It is then the account information that terminal is provided, including account, password, or IMEI can also be included, client ip address then refers to It is facility management client address in a network, timestamp refers to time mark, can be that reporting of user service operations please The timestamp that the timestamp asked or device management server are authenticated.For device management server, above-mentioned Each information can select any number of part as TokenID.

First key and the second key are all the keys for data is carried out with encryption and decryption, and wherein, first key is equipment Management client carries out the key of encryption and decryption it is also possible to be message private key to data, and the second key is device management server pair Data carries out the key of encryption and decryption it is also possible to be message public key.That is, when data from device management server sends to setting During standby management client, the second key can be passed through, that is, message public key is encrypted, in facility management client then with first close Key, that is, message private key be decrypted；When data from device management client sends to device management server, can be by the One key, that is, message private key be encrypted, then use the second key in device management server, that is, message public key is decrypted.The One key and the second key are paired appearance, and corresponding with access credentials TokenID, can uniquely be determined according to TokenID Corresponding first key and the second key.In other words, each user and corresponding terminal, correspond to a TokenID with And first key, the second key.

The business datum that second sending module 303 is used for by access credentials and after first key encryption is sent to equipment Management server.After have passed through the authentication of device management server, facility management client have received equipment control service Access credentials and first key that device is fed back, wherein, access credentials can pass through at device management server end Two keys are encrypted it is also possible to not encrypt.Due to after having initiated service operations request in terminal it is still desirable in follow-up operation Middle send necessary business datum to device management server, or terminal also has other service operations requests etc. after this Deng wherein business datum can include terminal parameter, user configuration information etc.；Terminal needs again to device management server When sending data, now, first have to sent data, business datum can be included, be encrypted, device management server The first key fed back is carried out, and then, after the completion of encryption, the business datum after access credentials and encryption is sent to equipment Management server.Access credentials herein are not usually encrypted, because device management server needs by terminal institute The access credentials sending determining corresponding second key, are then carried out come the business datum after to this encryption by the second key Deciphering.Due to access credentials correspond to a first key and the second key, then the access being sent by terminal with Card just can uniquely determine corresponding second key, and business datum is encrypted according to first key again, according to access Voucher just can smoothly be decrypted to this business datum after determining the second key.It is of course also possible to there are access credentials Illegal situation, that is, access credentials are in device management server end authentication failed, illustrate that access credentials are not equipment control clothes The access credentials that business device is generated, this access credentials and expired or inefficacy in other words.In access credentials authentication failed, to setting Standby management client feedback operation failure, terminates this operation.

After second key is to the successful decryption of this business datum, the business datum after deciphering can be preserved, and Follow-up device management operations are carried out according to this business datum, by business datum persistence to database, is supplied to follow-up equipment Management service uses.So far, this business operation flow process completes, and device management server feeds back industry to facility management client Prompting or instruction that business operation completes, point out user operation success.

If follow-up also have other business operations, directly the second sending module 303 can be passed through, by corresponding service operations Request is sent to device management server, and service operations request is encrypted by first key, in device management server By the second secret key decryption, thus parsing service operations request.

Additionally, in the present embodiment, the form of the data interacting between facility management client and device management server, Can be Json, Protobuffer etc. form, it is possible to reduce non-essential redundant data in interaction every time, improve and hand over Mutual efficiency and the cleannes of system.

Present embodiments provide a kind of facility management client, including the first sending module, the first receiver module, second Send module, the first sending module initiates service operations request to device management server, carried terminal in service operations request Account information, the access credentials and first that the first receiver module receiving device management server obtains according to service operations request Key, the business datum by access credentials with after the first sweet spring hall encryption for second sending module is sent to equipment control service Device is it is achieved that to the encryption in device management process, and is encrypted in groups by first key and the second key, is obviously improved Security.

Second embodiment

Refer to Fig. 4, a kind of composition schematic diagram of device management server that Fig. 4 provides for second embodiment of the invention.

Device management server in the present embodiment, including：

Second receiver module 401, the service operations request sending for receiving device management client, service operations are asked The account information of middle carried terminal；

Generation module 402, for after passing through to account information authentication, according to service operations ask to generate access credentials, First key and the second key, wherein access credentials, first key and the second key are in correspondence with each other；

3rd sending module 403, for being sent to facility management client by access credentials and first key；

Business number after 3rd receiver module 404, the access credentials sending for receiving device management client and encryption According to carrying out service operations process.

Service operations request can include service and enable strategy request and service shutdown strategy request, and wherein, service enables Strategy request at least includes COS and service enables opportunity.Wherein, COS refers to each equipment Management Function, can To include：Firmware upgrade, software management, diagnosis and monitoring, connectedness, capacity of equipment, locking and erasing etc..And service enables Opportunity then refers to above-mentioned equipment Management Function when enabling or close, including：Enable under WIFI, that is, terminal accesses wireless network Enable during network；Night enables, and can arrange the initial time enabling and end time；Enable when idle, that is, terminal is not grasped by user Make, situations such as do not have the application that non-default is run to be in operation etc. in terminal；Automatically execute, confirm without user, in service behaviour It is required by rear just direct execution, user executes after determining, after service operations request is passed through, holds after user confirms again OK.

The service operations request that second receiver module 401 receiving device management client sends, takes in service operations request The account information of tape terminal.Wherein, account information at least can include account and password, or, can include account, password with And equipment unique mark.Wherein, when account is that terminal carries out equipment control by equipment manager, required voucher, is user Registered in advance and obtain, password is then corresponding with account, and wherein, password can be that clear-text passwords is carried out together with other specification Value after md5 encryption.Equipment unique mark, then can be equipment I MEI, and each terminal corresponds to an IMEI value, will not go out Situation about now repeating is that is to say, that a corresponding terminal can be determined by IMEI to unique.Second receiver module 401 exists Receive carry account information service operations request after it is possible to according to this account information uniquely determine service operations ask The terminal initiated, to carry out follow-up process.

Generation module 402 is used for after account information authentication is passed through, according to service operations ask to generate access credentials, the One key and the second key.That is, before generating access credentials, needing to the service operations requesting terminal receiving Account information is authenticated, and judges whether this account information has permission the relative set carrying out this service operations request.Wherein, this In authority can include：The account information of terminal to report is legal, and, the service that terminal is asked is allowed. When account information includes the IMEI value of terminal, also include：Judge whether account, password and this IMEI value mate, i.e. this account Whether corresponding with IMEI value with password.If authentication do not pass through, illustrate this service operations request be illegal, terminal this Service operations request can not be passed through, and unsanctioned message can be sent to and initiate service operations request by device management server Facility management client.The content of prompting can be " account or code error " " it fails to match " etc. signal language.

If authentication is passed through, generation module 402 just requires according to service operations, generation access credentials, first key and the Two keys.Wherein, between access credentials, first key and the second key in correspondence with each other.Access credentials are follow-up equipment management visitors Voucher that family end and device management server interact, can be according to server address, use it is also possible to referred to as TokenID Family information, client ip address, timestamp etc. form；Wherein, the device management server that server address just refers to is in network In address, user profile is then the account information that terminal is provided, and including account, password, or can also include IMEI, visitor Family end IP address then refers to facility management client address in a network, and timestamp refers to time mark, can be to use Family reports the timestamp that the timestamp of service operations request or device management server are authenticated.For generation mould For block 402, each above-mentioned information can select any number of part as TokenID.

First key and the second key are all the keys for data is carried out with encryption and decryption, and wherein, first key is equipment Management client carries out the key of encryption and decryption to data, is also message private key, and the second key is device management server to data Carry out the key of encryption and decryption, be also message public key.When data from device management server sends to facility management client, can So that by the second key, that is, message public key is encrypted, and is then the i.e. message private key by first key in facility management client It is decrypted；When data from device management client sends to device management server, first key, i.e. message can be passed through Private key is encrypted, and then uses the second key in device management server, and that is, message public key is decrypted.First key and second close Key is paired appearance, and corresponding with access credentials TokenID, can uniquely determine corresponding first key according to TokenID With the second key.In other words, each user and corresponding terminal, correspond to a TokenID and first key, second Key.

3rd sending module 403 is used for for access credentials and first key being sent to facility management client.Wherein, access Voucher can be encrypted it is also possible to not encrypt through the second key.Access credentials are as facility management client again to setting Standby management server sends voucher during business datum, according to access credentials, device management server can determine that business datum is No legal, and select second key corresponding with this access credentials that this is solved through the business datum of first key deciphering Close.

3rd receiver module 404 is used for the business number after access credentials that receiving device management client sends and encryption According to carrying out service operations process.Due to terminal initiated service operations request after it is still desirable in follow-up operation to Device management server sends necessary business datum, or terminal also has other service operations requests etc. after this, Wherein business datum can include terminal parameter, user configuration information etc.；Terminal needs to send out to device management server again When sending data, now, first have to sent data, business datum can be included, be encrypted, device management server institute The first key of feedback is carried out, and then, after the completion of encryption, the business datum after access credentials and encryption is sent to equipment pipe Reason server.Access credentials herein are not usually encrypted, because device management server needs to be sent out by terminal The access credentials sent, to determine corresponding second key, are then solved to the business datum after this encryption by the second key Close.Because access credentials correspond to a first key and the second key, then the access credentials being sent by terminal Just can uniquely determine corresponding second key, business datum is encrypted according to first key again, according to access with Card just can smoothly be decrypted to this business datum after determining the second key.It is of course also possible to there are access credentials not Legal situation, that is, access credentials in device management server end authentication failed, illustrate that access credentials are not equipment control services The access credentials that device is generated, this access credentials and expired or inefficacy in other words.In access credentials authentication failed, to equipment The failure of management client feedback operation, terminates this operation.

Present embodiments provide a kind of device management server, including the second receiver module, generation module, the 3rd transmission mould Block, the 3rd receiver module, the service operations request that the second receiver module receiving device management client sends, service operations are asked The account information of middle carried terminal, after account information authentication is passed through, generation module generates according to service operations request and accesses Voucher, first key and the second key, wherein access credentials, first key and the second key in correspondence with each other, the 3rd sending module Access credentials and first key are sent to facility management client, the 3rd receiver module receiving device management client sends Business datum after access credentials and encryption, carries out service operations process.Achieve to the encryption in device management process, and logical Cross first key and the second key is encrypted in groups, be obviously improved security.

3rd embodiment

Refer to Fig. 5, a kind of equipment management system composition schematic diagram that Fig. 5 provides for third embodiment of the invention, including Device management server and facility management client, device management server includes communicator 2525, processor 2222, storage Device 2424；Facility management client includes wireless communication unit 110, controller 180.Wherein：Nothing in facility management client Line communication unit 110 sends service operations request to device management server, and service operations request is the account letter of carried terminal Breath, the communicator 25 in device management server receives this service operations request, the account letter in service operations are asked After breath authentication is passed through, ask to generate access credentials, first key and the second key according to service operations, wherein access credentials, the In correspondence with each other, this access credentials and first key are sent to facility management client by communication unit for one key and the second key, Access credentials and first key that wireless communication unit 110 receiving device management server in facility management client sends, Then by first key, business datum is encrypted, and after wireless communication unit 110 is by access credentials and encryption Business datum is sent to device management server, and the communicator 25 receiving device management client in device management server is sent out Business datum after the access credentials sent and encryption, carries out service operations process.

Initiate service operations request to device management server, the account information of carried terminal in service operations request.Its In, account information at least can include account and password, or, account, password and equipment unique mark can be included.Its In, when account is that terminal carries out equipment control by device management server, required voucher, is that user is registered in advance and obtain, Password is then corresponding with account, and wherein, password can be the value after clear-text passwords carries out md5 encryption together with other specification. Equipment unique mark, then can be equipment I MEI (International Mobile Equipment Identity, international shifting Dynamic device identification), each terminal corresponds to a mark, is not in the situation of repetition that is to say, that IMEI can be passed through Value uniquely determines a corresponding terminal.When initiating service operations request, in service operations request, carry account information, with Ensure that device management server can uniquely determine the corresponding terminal of this service operations request, to carry out follow-up process.

Receiving device management server asks access credentials and the first key obtaining according to service operations.Equipment control Server after receiving the service operations request that terminal is sent, first, can ask to service operations by device management server In account information carry out authentication operations, judge whether this account information has permission and carry out accordingly setting of this service operations request Put.Wherein, authority here can include：The account information of terminal to report is legal, and, the service that terminal is asked is It is allowed for.When account information includes the IMEI value of terminal, also include：Judge whether account, password and this IMEI value mate, I.e. whether this account and password are corresponding with IMEI value.

Business datum by access credentials and after first key encryption is sent to device management server.Have passed through and set After the authentication of standby management server, facility management client have received the access credentials that device management server fed back with And first key, wherein, access credentials can have been passed through the second key at device management server end and encrypt it is also possible to be not added with Close.Due to having initiated after service operations are asked it is still desirable to send out to device management server in follow-up operation in terminal Send necessary business datum, or terminal also has other service operations requests etc. after this, wherein business datum is permissible Including terminal parameter, user configuration information etc.；When terminal needs again to device management server transmission data, now, first First to can include business datum, be encrypted to sent data, the first key that device management server is fed back is entered OK, then, after the completion of encryption, the business datum after access credentials and encryption is sent to device management server.Herein Access credentials are not usually encrypted, because device management server needs the access credentials being sent by terminal Lai really Fixed corresponding second key, is then decrypted to the business datum after this encryption by the second key.Because one accesses Voucher corresponds to a first key and the second key, then the access credentials being sent by terminal just can uniquely determine phase The second key answered, business datum is encrypted according to first key again, according to access credentials determine the second key it Just can smoothly this business datum be decrypted afterwards.It is of course also possible to there is the illegal situation of access credentials, that is, access Voucher in device management server end authentication failed, illustrate access credentials be not the access that generated of device management server with Card, this access credentials and expired or inefficacy in other words.In access credentials authentication failed, feed back behaviour to facility management client Fail, terminate this operation.

If follow-up also have other business operations, directly wireless communication unit 110 can be passed through, by corresponding service operations Request is sent to device management server, and service operations request is encrypted by first key, in device management server By the second secret key decryption, thus parsing service operations request.

Fourth embodiment

Refer to Fig. 6, a kind of device management method flow chart that Fig. 6 provides for fourth embodiment of the invention, including：

S601, to device management server initiate service operations request, service operations request in carried terminal account letter Breath；

S602, receiving device management server ask access credentials and the first key obtaining according to service operations；

S603, the business datum by access credentials and after first key encryption are sent to device management server.

In S601, initiate service operations request to device management server, the account of carried terminal in service operations request Information.Wherein, account information at least can include account and password, or, account, password and equipment can be included and uniquely mark Know.Wherein, when account is that terminal carries out equipment control by device management server, required voucher, is that user is registered in advance And obtain, password is then corresponding with account, and wherein, password can be after clear-text passwords carries out md5 encryption together with other specification Value.Equipment unique mark, then can be equipment I MEI (International Mobile Equipment Identity, state Border mobile device mark), each terminal corresponds to a mark, is not in the situation of repetition that is to say, that can pass through IMEI value uniquely determines a corresponding terminal.When initiating service operations request, service operations request carries account letter Breath, to ensure that device management server can uniquely determine the corresponding terminal of this service operations request, to carry out follow-up Process.

In S602, receiving device management server asks access credentials and the first key obtaining according to service operations. , after receiving the service operations request that terminal is sent, first, device management server can be to service for device management server Account information in operation requests carries out authentication operations, judges whether this account information has permission and carries out this service operations request Relative set.Wherein, authority here can include：The account information of terminal to report is legal, and, terminal is asked Service is allowed.When account information includes the IMEI value of terminal, also include：Judge that account, password and this IMEI value are No coupling, that is, whether this account and password are corresponding with IMEI value.

In S603, the business datum by access credentials and after first key encryption is sent to device management server. After have passed through the authentication of device management server, facility management client have received the visit that device management server is fed back Ask voucher and first key, wherein, access credentials can pass through the second key encryption at device management server end, Can not encrypt.Due to after having initiated service operations request in terminal it is still desirable to equipment control in follow-up operation Server sends necessary business datum, or terminal also has other service operations requests etc., wherein business after this Data can include terminal parameter, user configuration information etc.；When terminal needs again to device management server transmission data, Now, first have to sent data, business datum can be included, be encrypted, device management server fed back One key is carried out, and then, after the completion of encryption, the business datum after access credentials and encryption is sent to equipment control service Device.Access credentials herein are not usually encrypted, because device management server needs the visit being sent by terminal Ask voucher to determine corresponding second key, then by the second key, the business datum after this encryption is decrypted.By Correspond to a first key and the second key in access credentials, then the access credentials being sent by terminal are just permissible Uniquely determine corresponding second key, business datum is encrypted according to first key again, is determining according to access credentials Just can smoothly this business datum be decrypted after second key.It is of course also possible to it is illegal to there are access credentials Situation, that is, access credentials in device management server end authentication failed, illustrate that access credentials are not that device management server is given birth to The access credentials becoming, this access credentials and expired or inefficacy in other words.In access credentials authentication failed, to equipment control visitor The feedback operation failure of family end, terminates this operation.

If follow-up also have other business operations, directly corresponding service operations request can be sent to equipment control clothes Business device, and service operations request is encrypted by first key, pass through the second secret key decryption in device management server, thus Parse service operations request.

Present embodiments provide a kind of device management method, initiate service operations request including to device management server, The account information of carried terminal in service operations request, the access that receiving device management server obtains according to service operations request Voucher and first key, the business datum by access credentials and after the first sweet spring hall encryption is sent to equipment control service Device is it is achieved that to the encryption in device management process, and is encrypted in groups by first key and the second key, is obviously improved Security.

5th embodiment

Refer to Fig. 7, a kind of device management method flow chart that Fig. 7 provides for fifth embodiment of the invention, including：

The service operations request that S701, receiving device management client send, the account of carried terminal in service operations request Number information；

S702, after account information authentication is passed through, ask to generate access credentials, first key and the according to service operations Two keys, wherein access credentials, first key and the second key are in correspondence with each other；

S703, access credentials and first key are sent to facility management client；

Business datum after S704, the access credentials of receiving device management client transmission and encryption, carries out service operations Process.

In S701, the service operations request that receiving device management client sends, carried terminal in service operations request Account information.Wherein, account information at least can include account and password, or, account, password and equipment can be included only One mark.Wherein, when account is that terminal carries out equipment control by equipment manager, required voucher, is that user is registered in advance And obtain, password is then corresponding with account, and wherein, password can be after clear-text passwords carries out md5 encryption together with other specification Value.Equipment unique mark, then can be equipment I MEI, and each terminal corresponds to an IMEI value, is not in repetition Situation is that is to say, that a corresponding terminal can be determined by IMEI to unique.Receiving the clothes carrying account information It is possible to the terminal that service operations request is initiated uniquely is determined according to this account information after business operation requests, to carry out follow-up Process.

In S702, after account information authentication is passed through, according to service operations ask generate access credentials, first key and Second key.That is, before generating access credentials, needing the account information to the service operations requesting terminal receiving Authenticated, judged whether this account information has permission the relative set carrying out this service operations request.Wherein, authority here Can include：The account information of terminal to report is legal, and, the service that terminal is asked is allowed.In account letter When breath includes the IMEI value of terminal, also include：Judge whether account, password and this IMEI value mate, that is, this account and password are No corresponding with IMEI value.If authentication is not passed through, illustrate that this service operations request is illegal, this service operations of terminal Request can not be passed through, and unsanctioned message can be sent to the equipment control initiating service operations request by device management server Client.The content of prompting can be " account or code error " " it fails to match " etc. signal language.

If authentication is passed through, just required according to service operations, generate access credentials, first key and the second key.Wherein, Between access credentials, first key and the second key in correspondence with each other.Access credentials are follow-up equipment management client and equipment pipe The reason voucher that interacts of server, can be according to server address, user profile, client it is also possible to referred to as TokenID IP address, timestamp etc. form；Wherein, the device management server that server address just refers to address in a network, user Information is then the account information that terminal is provided, and including account, password, or can also include IMEI, client ip address is then Refer to facility management client address in a network, timestamp refers to time mark, can be reporting of user service behaviour Make the timestamp that the timestamp asked or device management server are authenticated.Each above-mentioned information can select Any number of part as TokenID.

In S703, access credentials and first key are sent to facility management client.Wherein, access credentials can be passed through Second key is encrypted it is also possible to not encrypt.Access credentials are as facility management client again to device management server Send voucher during business datum, according to access credentials, device management server can determine whether business datum is legal, and Select second key corresponding with this access credentials that this is decrypted through the business datum of first key deciphering.

In S704, receiving device management client send access credentials and encryption after business datum, carry out service behaviour Deal with.Due to after having initiated service operations request in terminal it is still desirable to equipment control service in follow-up operation Device sends necessary business datum, or terminal also has other service operations requests etc., wherein business datum after this Terminal parameter, user configuration information etc. can be included；When terminal needs again to device management server transmission data, this When, first have to sent data, business datum can be included, be encrypted, device management server fed back first Key is carried out, and then, after the completion of encryption, the business datum after access credentials and encryption is sent to device management server. Access credentials herein are not usually encrypted because device management server need the access that sent by terminal with Card, to determine corresponding second key, is then decrypted to the business datum after this encryption by the second key.Due to one Individual access credentials correspond to a first key and the second key, then the access credentials being sent by terminal just can be unique Determine corresponding second key, business datum is encrypted according to first key again, determine second according to access credentials Just can smoothly this business datum be decrypted after key.It is of course also possible to there is the illegal situation of access credentials, I.e. access credentials, in device management server end authentication failed, illustrate that access credentials are not the visits that device management server is generated Ask voucher, in other words this access credentials and expired or inefficacy.In access credentials authentication failed, anti-to facility management client Feedback operation failure, terminates this operation.

Present embodiments provide a kind of device management method, the service operations sending including receiving device management client please Ask, in service operations request, the account information of carried terminal, after account information authentication is passed through, please seek survival according to service operations Become access credentials, first key and the second key, wherein access credentials, first key and the second key in correspondence with each other, will access Voucher and first key are sent to facility management client, after the access credentials that receiving device management client sends and encryption Business datum, carries out service operations process.Achieve to the encryption in device management process, and close by first key and second Key is encrypted in groups, has been obviously improved security.

It should be noted that herein, term " inclusion ", "comprising" or its any other variant are intended to non-row The comprising of his property, so that including a series of process of key elements, method, article or device not only include those key elements, and And also include other key elements of being not expressly set out, or also include intrinsic for this process, method, article or device institute Key element.In the absence of more restrictions, the key element being limited by sentence "including a ..." is it is not excluded that including being somebody's turn to do Also there is other identical element in the process of key element, method, article or device.

The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.

Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can be realized by the mode of software plus necessary general hardware platform naturally it is also possible to pass through hardware, but in many cases The former is more preferably embodiment.Based on such understanding, technical scheme is substantially done to prior art in other words Go out partly can embodying in the form of software product of contribution, this computer software product is stored in a storage medium In (as ROM/RAM, magnetic disc, CD), including some instructions with so that a station terminal equipment (can be mobile phone, computer, clothes Business device, air-conditioner, or network equipment etc.) method described in execution each embodiment of the present invention.

Above in conjunction with accompanying drawing, embodiments of the invention are described, but the invention is not limited in above-mentioned concrete Embodiment, above-mentioned specific embodiment is only schematically, rather than restricted, those of ordinary skill in the art Under the enlightenment of the present invention, in the case of without departing from present inventive concept and scope of the claimed protection, also can make a lot Form, these belong within the protection of the present invention.

Claims

1. a kind of facility management client is it is characterised in that include：

First sending module, for initiating service operations request to device management server, carries in described service operations request The account information of terminal；

First receiver module, for receiving the access credentials that described device management server obtains according to described service operations request And first key；

Second sending module, is sent to institute for the business datum by described access credentials and after the encryption of described first key State device management server.

2. facility management client as claimed in claim 1 is it is characterised in that described service operations request includes service and enables Strategy request or service shutdown strategy request；Described service enables strategy request and at least includes COS and when service enables Machine.

3. facility management client as claimed in claim 1 is it is characterised in that described account information at least includes account and close Code；Or, described account information includes account, password and equipment unique mark.

4. a kind of device management server is it is characterised in that include：

Second receiver module, the service operations request sending for receiving device management client, in described service operations request The account information of carried terminal；

Generation module, for described account information authentication pass through after, according to described service operations ask generate access credentials, First key and the second key, wherein said access credentials, first key and the second key are in correspondence with each other；

3rd receiver module, for the business datum after receiving the access credentials of described facility management client transmission and encrypting, Carry out service operations process.

5. device management server as claimed in claim 4 is it is characterised in that described 3rd receiver module is used for：Receive institute Parameter information after stating the access credentials of device management server transmission and encrypting；Judge whether described access credentials are legal；? After judging that described access credentials are legal, search second key corresponding with described access credentials to the business number after described encryption According to being decrypted.

6. a kind of device management method, including：

Initiate service operations request to device management server, the account information of carried terminal in described service operations request；

Business datum by described access credentials and after the encryption of described first key is sent to described device management server.

7. device management method as claimed in claim 6 is it is characterised in that described service operations request includes service and enables plan Slightly ask or service shutdown strategy request；Described service enables that strategy request at least includes COS and service enables opportunity.

8. device management method as claimed in claim 6 is it is characterised in that described account information at least includes account and close Code；Or, described account information includes account, password and equipment unique mark.

9. a kind of device management method, including：

The service operations request that receiving device management client sends, the account letter of carried terminal in described service operations request Breath；

After described account information authentication is passed through, ask to generate access credentials, first key and the according to described service operations Two keys, wherein said access credentials, first key and the second key are in correspondence with each other；

Described access credentials and described first key are sent to described facility management client；

10. device management method as claimed in claim 9 it is characterised in that described receiving device management client send Business datum after access credentials and encryption, carries out service operations and processes inclusion：Receive what described device management server sent Parameter information after access credentials and encryption；Judge whether access credentials are legal；After judging that described access credentials are legal, search Second key corresponding with described access credentials, is decrypted to the business datum after described encryption.