CN106411580A - Device management client and server, and device management methods - Google Patents
Device management client and server, and device management methods Download PDFInfo
- Publication number
- CN106411580A CN106411580A CN201610825976.1A CN201610825976A CN106411580A CN 106411580 A CN106411580 A CN 106411580A CN 201610825976 A CN201610825976 A CN 201610825976A CN 106411580 A CN106411580 A CN 106411580A
- Authority
- CN
- China
- Prior art keywords
- key
- device management
- access credentials
- management server
- service operations
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/04—Network management architectures or arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The present invention provides a device management client and server, and device management methods. A service operation request is initiated to the device management server, wherein the service operation request carries account information of a terminal; the device management server authenticates the account information, generates an access ticket, a first secret key and a second secret key that are corresponding to each other after authentication succeeds, and sends the access ticket and the first secret key to the device management client; after service data is encrypted by using the first secret key, the access ticket and the service data are sent to the device management server for service operation processing. According to the device management client and server, and the device management methods, encryption in the device management process is realized, and the first secret key and the second secret key are combined for encryption, so that the security is greatly improved.
Description
Technical field
The present invention relates to communication technical field, more particularly, it relates to a kind of facility management client, server and equipment
Management method.
Background technology
With the development of technology of Internet of things, smart machine such as smart home, wearable device, intelligent vehicle-carried and legacy equipment
Intellectuality is following development trend.The intelligence degree of equipment is higher, and the content of equipment control is more, including firmware upgrade,
Software management, diagnosis and monitoring etc..Because the function of equipment control is more and more abundanter, major part is related to the privacy of user,
Generally require to ensure the security of data interaction by way of encryption.Or however, the mistake do not encrypted in prior art
Journey, or the key of encryption is all encrypted using unified key, security is very low.
Content of the invention
The technical problem to be solved in the present invention is how to avoid the single cipher mode of key in equipment control to be carried
The low problem of next security;For this technical problem, provide a kind of facility management client, including:
First sending module, for initiating service operations request to device management server, in described service operations request
The account information of carried terminal;
First receiver module, for receiving the access that described device management server obtains according to described service operations request
Voucher and first key;
Second sending module, sends for the business datum by described access credentials and after the encryption of described first key
To described device management server.
Optionally, described service operations request includes service and enables strategy request or service shutdown strategy request;Described clothes
Business enables that strategy request at least includes COS and service enables opportunity.
Optionally, described account information at least includes account and password;Or, described account information include account, password with
And equipment unique mark.
Additionally, also providing a kind of device management server, including:
Second receiver module, the service operations request sending for receiving device management client, described service operations please
Seek the account information of middle carried terminal;
Generation module, for, after described account information authentication is passed through, generating according to described service operations request and accessing
Voucher, first key and the second key, wherein said access credentials, first key and the second key are in correspondence with each other;
3rd sending module, for being sent to described facility management client by described access credentials and first key;
3rd receiver module, for the business number after receiving the access credentials of described facility management client transmission and encrypting
According to carrying out service operations process.
Optionally, described 3rd receiver module is used for:Receive the access credentials of described device management server transmission and add
Parameter information after close;Judge whether described access credentials are legal;After judging that described access credentials are legal, search with described
Corresponding second key of access credentials is decrypted to the business datum after described encryption.
Additionally, also providing a kind of device management method, including:
Initiate service operations request to device management server, the account letter of carried terminal in described service operations request
Breath;
Receive access credentials and the first key that described device management server asks to obtain according to described service operations;
Business datum by described access credentials and after the encryption of described first key is sent to described equipment control clothes
Business device.
Optionally, described service operations request includes service and enables strategy request or service shutdown strategy request;Described clothes
Business enables that strategy request at least includes COS and service enables opportunity.
Optionally, described account information at least includes account and password;Or, described account information include account, password with
And equipment unique mark.
Additionally, also providing a kind of device management method, including:
The service operations request that receiving device management client sends, the account of carried terminal in described service operations request
Information;
After described account information authentication is passed through, ask to generate access credentials, first key according to described service operations
With the second key, wherein said access credentials, first key and the second key are in correspondence with each other;
Described access credentials first key is sent to described facility management client;
Business datum after the access credentials of receiving device management client transmission and encryption, carries out service operations process.
Optionally, the business datum after described receiving device management client sends access credentials and encryption, is taken
Business operation processes and includes:Parameter information after receiving the access credentials of described device management server transmission and encrypting;Judge to visit
Ask whether voucher is legal;After judging that described access credentials are legal, search second key corresponding with described access credentials, to institute
State the business datum after encryption to be decrypted.
Additionally, also providing a kind of mobile terminal, including aforesaid facility management client.
Additionally, also providing a kind of server, including aforesaid device management server.
Beneficial effect
The invention provides a kind of facility management client, server and device management method, to device management server
Initiate service operations request, the account information of carried terminal in service operations request, device management server enters to account information
Row authentication, and in authentication by rear generation access credentials in correspondence with each other, first key and the second key, by access credentials and the
One key is sent to facility management client, after business datum being encrypted by first key, by access credentials and business
Data is activation, to device management server, carries out service operations process.By the enforcement of the present invention it is achieved that to equipment control
Encryption in journey, and be encrypted in groups by first key and the second key, it has been obviously improved security.
Brief description
Below in conjunction with drawings and Examples, the invention will be further described, in accompanying drawing:
Fig. 1 is the hardware architecture diagram realizing the optional mobile terminal of each embodiment of the present invention one;
Fig. 2 is the hardware architecture diagram realizing the optional server of each embodiment of the present invention one;
The facility management client composition schematic diagram that Fig. 3 provides for first embodiment of the invention;
The device management server composition schematic diagram that Fig. 4 provides for second embodiment of the invention;
The equipment management system composition schematic diagram that Fig. 5 provides for third embodiment of the invention;
The device management method flow chart that Fig. 6 provides for fourth embodiment of the invention;
The device management method flow chart that Fig. 7 provides for fifth embodiment of the invention.
Specific embodiment
It should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.
Realize the mobile terminal of each embodiment of the present invention referring now to Description of Drawings.In follow-up description, use
For represent element " unit " suffix only for being conducive to the explanation of the present invention, itself do not have specific meaning.
Mobile terminal can be implemented in a variety of manners.For example, the terminal described in the present invention can include such as moving
Phone, smart phone, notebook computer, digit broadcasting receiver, PDA (personal digital assistant), PAD (panel computer), PMP
The mobile terminal of (portable media player), guider etc. and such as numeral TV, desktop computer etc. consolidate
Determine terminal.Hereinafter it is assumed that terminal is mobile terminal, however, it will be understood by those skilled in the art that, except being used in particular for moving
Outside the element of purpose, construction according to the embodiment of the present invention can also apply to the terminal of fixed type.The present embodiment
In mobile terminal can realize the facility management client in various embodiments of the present invention.
Fig. 1 is the hardware architecture diagram realizing the optional mobile terminal of each embodiment of the present invention one.
Mobile terminal 1 00 can include wireless communication unit 110, A/V (audio/video) input block 120, user input
Unit 130, sensing unit 140, output unit 150, memory 160, interface unit 170, controller 180 and power subsystem 190
Etc..Fig. 1 shows the mobile terminal with various assemblies, it should be understood that being not required for implementing all groups illustrating
Part, can alternatively implement more or less of assembly, will be discussed in more detail below the element of mobile terminal.
Wireless communication unit 110 generally includes one or more assemblies, and it allows mobile terminal 1 00 and wireless communication system
Or the radio communication between network.For example, wireless communication unit can include mobile comm unit 112, wireless Internet list
At least one of unit 113, short-range communication unit 114 and positional information unit 115.
Mobile comm unit 112 sends radio signals to base station (for example, access point etc.), exterior terminal and clothes
Business at least one of device and/or receive from it radio signal.Such radio signal can include voice call signal,
Video calling signal or the various types of data sending and/or receiving according to text and/or Multimedia Message.
Wireless interconnected net unit 113 supports the Wi-Fi (Wireless Internet Access) of mobile terminal.This unit can be internally or externally
It is couple to terminal.Wi-Fi (Wireless Internet Access) technology involved by this unit can include WLAN (WLAN) (Wi-Fi), Wibro
(WiMAX), Wimax (worldwide interoperability for microwave accesses), HSDPA (high-speed downlink packet access) etc..
Short-range communication unit 114 is the unit for supporting junction service.Some examples of short-range communication technology include indigo plant
Tooth TM, RF identification (RFID), Infrared Data Association (IrDA), ultra broadband (UWB), purple honeybee TM etc..
Positional information unit 115 be for check or obtain mobile terminal positional information unit.Positional information unit
Typical case be GPS (global positioning system).According to current technology, GPS unit 115 calculates and is derived from three or more satellites
Range information and correct time information and for the Information application triangulation calculating, thus according to longitude, latitude
Highly accurately calculate three-dimensional current location information.Currently, the method for calculating position and temporal information is defended using three
Star and the error of the position that calculates by using other satellite correction and temporal information.Additionally, GPS unit 115
Can be by Continuous plus current location information in real time come calculating speed information.
A/V input block 120 is used for receiving audio or video signal.A/V input block 120 can include camera 121 He
Microphone 1220, camera 121 is to the static map being obtained by image capture apparatus in Video Capture pattern or image capture mode
The view data of piece or video is processed.Picture frame after process may be displayed on display unit 151.At camera 121
Picture frame after reason can be stored in memory 160 (or other storage medium) or carry out via wireless communication unit 110
Send, two or more cameras 121 can be provided according to the construction of mobile terminal.Microphone s122 can be in telephone relation mould
Sound (voice data) is received via microphone in formula, logging mode, speech recognition mode etc. operational mode, and can be by
Such acoustic processing is voice data.Audio frequency (voice) data after process can be changed in the case of telephone calling model
For can be sent to the form output of mobile communication base station via mobile comm unit 112.Microphone 122 can implement all kinds
Noise eliminate (or suppression) algorithm with eliminate (or suppression) receive and the noise that produces during sending audio signal or
Person disturbs.
User input unit 130 can generate key input data to control each of mobile terminal according to the order of user input
Plant operation.User input unit 130 allows the various types of information of user input, and can include keyboard, metal dome, touch
Plate (for example, detection due to touched and lead to resistance, pressure, the change of electric capacity etc. sensitive component), roller, rocking bar etc.
Deng.Especially, when touch pad is superimposed upon on display unit 151 as a layer, touch-screen can be formed.
Sensing unit 140 detect mobile terminal 1 00 current state, (for example, mobile terminal 1 00 open or close shape
State), the position of mobile terminal 1 00, user is for the presence or absence of the contact (that is, touch input) of mobile terminal 1 00, mobile terminal
100 orientation, the acceleration or deceleration movement of mobile terminal 1 00 and direction etc., and generate for controlling mobile terminal 1 00
The order of operation or signal.For example, when mobile terminal 1 00 is embodied as sliding-type mobile phone, sensing unit 140 can sense
This sliding-type phone opens or cuts out.In addition, sensing unit 140 can detect power subsystem 190 whether provide electric power or
Whether person's interface unit 170 is coupled with external device (ED).Sensing unit 140 can include light sensor 141.
Interface unit 170 is connected, with mobile terminal 1 00, the interface that can pass through as at least one external device (ED).For example,
External device (ED) can include wired or wireless head-band earphone port, external power source (or battery charger) port, wired or nothing
Line FPDP, memory card port, the port of device for connection with recognition unit, audio input/output (I/O) end
Mouth, video i/o port, ear port etc..Recognition unit can be storage for verifying that user uses each of mobile terminal 1 00
Kind of information and user identification unit (UIM), client's recognition unit (SIM), Universal Subscriber recognition unit (USIM) can be included
Etc..In addition, the device (hereinafter referred to as " identifying device ") with recognition unit can take the form of smart card, therefore, know
Other device can be connected with mobile terminal 1 00 via port or other attachment means.Interface unit 170 can be used for reception and is derived from
The input (for example, data message, electric power etc.) of the external device (ED) and input receiving is transferred in mobile terminal 1 00
One or more elements or can be used for transmission data between mobile terminal and external device (ED).
In addition, when mobile terminal 1 00 is connected with external base, interface unit 170 can serve as allowing by it by electricity
Power provides the path of mobile terminal 1 00 from base or can serve as allowing the various command signals from base input to pass through it
It is transferred to the path of mobile terminal.May serve as identifying that mobile terminal is from the various command signals of base input or electric power
The no signal being accurately fitted within base.Output unit 150 is configured to defeated with the offer of vision, audio frequency and/or tactile manner
Go out signal (for example, audio signal, vision signal, alarm signal, vibration signal etc.).
Output unit 150 can include display unit 151, audio output unit 152 etc..
Display unit 151 may be displayed on the information processing in mobile terminal 1 00.For example, when mobile terminal 1 00 is in electricity
During words call mode, display unit 151 can show (for example, text messaging, the multimedia file that communicate with call or other
Download etc.) related user interface (UI) or graphic user interface (GUI).When mobile terminal 1 00 is in video calling pattern
Or during image capture mode, display unit 151 can show the image of capture and/or the image of reception, illustrate video or figure
UI or GUI of picture and correlation function etc..
Meanwhile, when display unit 151 and the touch pad touch-screen with formation superposed on one another as a layer, display unit
151 can serve as input unit and output device.Display unit 151 can include liquid crystal display (LCD), thin film transistor (TFT)
In LCD (TFT-LCD), Organic Light Emitting Diode (OLED) display, flexible display, three-dimensional (3D) display etc. at least
A kind of.Some in these displays may be constructed such that transparence to allow user from outside viewing, and this is properly termed as transparent
Display, typical transparent display can be, for example, TOLED (transparent organic light emitting diode) display etc..According to specific
The embodiment wanted, mobile terminal 1 00 can include two or more display units (or other display device), for example, moves
Dynamic terminal can include outernal display unit (not shown) and inner display unit (not shown).Touch-screen can be used for detection and touches
Input pressure and touch input position and touch input area.
Audio output unit 152 can mobile terminal be in call signal reception pattern, call mode, logging mode,
When under the isotypes such as speech recognition mode, broadcast reception mode, that wireless communication unit 110 is received or in memory 160
The voice data transducing audio signal of middle storage and be output as sound.And, audio output unit 152 can provide and move
The audio output (for example, call signal receives sound, message sink sound etc.) of the specific function correlation of terminal 100 execution.
Audio output unit 152 can include loudspeaker, buzzer etc..
Memory 160 can store software program of the process being executed by controller 180 and control operation etc., or can
Temporarily to store oneself data (for example, telephone directory, message, still image, video etc.) through exporting or will export.And
And, memory 160 can be to store the vibration of various modes with regard to exporting and audio signal when touching and being applied to touch-screen
Data.
Memory 160 can include the storage medium of at least one type, and described storage medium includes flash memory, hard disk, many
Media card, card-type memory (for example, SD or DX memory etc.), random access storage device (RAM), static random-access storage
Device (SRAM), read-only storage (ROM), Electrically Erasable Read Only Memory (EEPROM), programmable read only memory
(PROM), magnetic storage, disk, CD etc..And, mobile terminal 1 00 can execute memory with by network connection
The network storage device cooperation of 160 store function.
Controller 180 generally controls the overall operation of mobile terminal.For example, controller 180 execution and voice call, data
The related control of communication, video calling etc. and process.In addition, controller 180 can be included for reproducing (or playback) many matchmakers
The multimedia unit 181 of volume data, multimedia unit 181 can construct in controller 180, or it is so structured that and controls
Device 180 separates.Controller 180 can be with execution pattern identifying processing, by the handwriting input executing on the touchscreen or picture
Draw input and be identified as character or image.
Power subsystem 190 receives external power or internal power under the control of controller 180 and provides operation each unit
Suitable electric power needed for part and assembly.
Various embodiment described herein can be with using such as computer software, hardware or its any combination of calculating
Machine computer-readable recording medium is implementing.Hardware is implemented, embodiment described herein can be by using application-specific IC
(ASIC), digital signal processor (DSP), digital signal processing device (DSPD), programmable logic device (PLD), scene can
Program gate array (FPGA), processor, controller, microcontroller, microprocessor, be designed to execute function described herein
At least one in electronic unit implementing, in some cases, can be implemented in controller 180 by such embodiment.
Software is implemented, the embodiment of such as process or function can with allow to execute the single of at least one function or operation
Software unit is implementing.Software code can be come by the software application (or program) write with any suitable programming language
Implement, software code can be stored in memory 160 and be executed by controller 180.
So far, oneself is through describing mobile terminal according to its function.Below, for the sake of brevity, will describe such as folded form,
Slide type mobile terminal in various types of mobile terminals of board-type, oscillating-type, slide type mobile terminal etc. is as showing
Example.Therefore, the present invention can be applied to any kind of mobile terminal, and is not limited to slide type mobile terminal.
As shown in Figure 1 mobile terminal 1 00 may be constructed such that using via frame or packet transmission data all if any
Line and wireless communication system and satellite-based communication system are operating.
As shown in Fig. 2 being the structural representation realizing the optional server of each embodiment of the present invention one, this server
At least include:Input and output (IO) bus 21, processor 22, memory 23, internal memory 24 and communicator 25.Wherein,
Input and output (IO) bus 21 respectively with other parts of the server belonging to itself (processor 22, memory 23,
Internal memory 24 and communicator 25) connect, and provide transmission lines for other parts.
Processor 22 generally controls the overall operation of the server belonging to itself.For example, processor 22 execution calculates and true
The operation such as recognize.Wherein, processor 22 can be central processing unit (CPU).
Memory 23 storage processor is readable, the executable software code of processor, and it comprises for control process device 22
The instruction (i.e. software perform function) of execution functions described herein.
Wherein, in the device management server that the present invention provides, the second receiver module, generation module, the 3rd transmission are realized
Module, the software code of the function of the 3rd receiver module are storable in memory 23, and after being executed or compiled by processor 22
Execution.
Internal memory 24, typically adopts semiconductor memory cell, including random access memory (RAM), read-only storage (ROM), with
And cache (CACHE), RAM is most important of which memory.Internal memory 14 is one of important part in computer, and it is
The bridge linked up with CPU22, the operation of all programs in computer is carried out all in internal memory, and its effect is for temporary
Operational data in Shi Cunfang CPU22, and the data exchanging with external memory storages such as hard disks, as long as computer is in operation,
CPU22 will be transferred to the data needing computing in internal memory and enter row operation, and after the completion of computing, result is sent out by CPU22 again
Come, the operation of internal memory also determines the stable operation of computer.
Communicator 25, generally includes one or more assemblies, and it allows server and radio communication system belonging to itself
Radio communication between system or network.
It is described in detail below by way of specific embodiment.
First embodiment
With reference to Fig. 3, the facility management client module diagram that Fig. 3 provides for first embodiment of the invention.
Facility management client in the present embodiment includes:
First sending module 301, for initiating service operations request to device management server, takes in service operations request
The account information of tape terminal;
First receiver module 302, the access credentials being obtained according to service operations request for receiving device management server
And first key;
Second sending module 303, is sent to for the business datum by access credentials and after first key encryption and sets
Standby management server.
Facility management client is generally positioned in terminal, and as the gateway of terminal management, terminal passes through equipment control
Client is interacted with device management server, realizes the equipment Management Function of terminal;Wherein, the equipment control of terminal is permissible
Including:Firmware upgrade, software management, diagnosis and monitoring, connectedness, capacity of equipment, locking and erasing etc. content.
Firmware upgrade, the mainly application software of more new equipment, this is to be carried out by the production firm of equipment, equipment
Hardware generally will not change, and repaired based on the bug of being suitable for of New function, legacy version, regular maintenance etc., if
Often appearance periodically or non-periodically updates standby software.
Software manage, can Remote Installation, deletions, startups, closing and retrieve application software, be directed primarily to equipment control
In remote management software function.
Diagnosis and monitor, then be the state of monitor terminal, include management and monitor RF (Radio Frequency, wirelessly penetrates
Frequently) setting, battery status, internal memory use, process list etc., just whether the ruuning situation that may be referred to terminal from these information
Often, if need to be adjusted, if more application processes etc. can be born.
Connectedness, then refer to the relative parameters setting of the network connection situation of terminal, management cellular network and base band ginseng
Number, APN, CDMA, LTE etc..
Capacity of equipment is it is allowed to the peripheral member of the long-range activated terminals of management organization or terminal, such as encryption arrange, image
Head, bluetooth, GPS etc..
Locking and wiping, this functionality applies in general to that terminal is stolen, is sold, when corrupted data, Telelock
Determine or erasing apparatus, wherein erasing can also referred to as format, or the access right closed a terminal, or removing terminal
In all data, or both are performed both by.
Each above-mentioned equipment Management Function, in the present embodiment all can be used as the part in service operations request;Its
In, these equipment Management Functions belong to service and enable strategy, corresponding thereto, also service shutdown strategy, wherein as clothes
The service of business device operation requests enables that strategy request at least includes COS and service enables opportunity, COS and above-mentioned
Each equipment Management Function, and service enables opportunity and then refers to each above-mentioned equipment Management Function and when enabling or closing, bag
Include:Enable under WIFI, that is, terminal enables when accessing wireless network;Night enables, can arrange the initial time enabling and at the end of
Between;Enable when idle, that is, terminal is not user-operably, situations such as do not have the application that non-default is run to be in operation etc. in terminal;
Automatically execute, confirm without user, just directly executed by rear in service operations request;User executes after confirming, in service behaviour
After passing through as request, execute again after user confirms.
First sending module 301 is used for initiating service operations request to device management server, takes in service operations request
The account information of tape terminal.Wherein, account information at least can include account and password, or, can include account, password with
And equipment unique mark.Wherein, when account is that terminal carries out equipment control by device management server, required voucher, be
User is registered in advance and obtains, and password is then corresponding with account, and wherein, password can be that clear-text passwords enters together with other specification
Value after row md5 encryption.Equipment unique mark, then can be equipment I MEI (International Mobile Equipment
Identity, International Mobile Station Equipment Identification), each terminal corresponds to a mark, is not in the situation of repetition, that is,
Say, a corresponding terminal can uniquely be determined by IMEI value.When initiating service operations request, in service operations request
Carry account information, to ensure that device management server can uniquely determine the corresponding terminal of this service operations request, so that
Carry out follow-up process.
First receiver module 302 be used for access credentials that receiving device management server obtains according to service operations request with
And first key.Device management server after receiving the service operations request that terminal sent, first, equipment control service
Device can carry out authentication operations to the account information in service operations request, judge whether this account information has permission and carry out this service
The relative set of operation requests.Wherein, authority here can include:The account information of terminal to report is legal, and, eventually
Asked service is held to be allowed.When account information includes the IMEI value of terminal, also include:Judge account, password and
Whether this IMEI value mates, and that is, whether this account and password are corresponding with IMEI value.
If authentication is not passed through it is clear that device management server will terminate the service operations request of this terminal;And such as
Fruit authentication is passed through, and represents that the account information that terminal provides meets corresponding condition, then, device management server is just according to end
Hold initiated service operations request, generate and ask corresponding access credentials, first key and the second key with this service operations,
Wherein, access credentials, first key, between the second key in correspondence with each other.Access credentials are that subsequent terminal will be taken with equipment control
The business voucher that interacts of device, can be according to server address, user profile, client ip ground it is also possible to referred to as TokenID
Location, timestamp etc. form;Wherein, the device management server that server address just refers to address in a network, user profile
It is then the account information that terminal is provided, including account, password, or IMEI can also be included, client ip address then refers to
It is facility management client address in a network, timestamp refers to time mark, can be that reporting of user service operations please
The timestamp that the timestamp asked or device management server are authenticated.For device management server, above-mentioned
Each information can select any number of part as TokenID.
First key and the second key are all the keys for data is carried out with encryption and decryption, and wherein, first key is equipment
Management client carries out the key of encryption and decryption it is also possible to be message private key to data, and the second key is device management server pair
Data carries out the key of encryption and decryption it is also possible to be message public key.That is, when data from device management server sends to setting
During standby management client, the second key can be passed through, that is, message public key is encrypted, in facility management client then with first close
Key, that is, message private key be decrypted;When data from device management client sends to device management server, can be by the
One key, that is, message private key be encrypted, then use the second key in device management server, that is, message public key is decrypted.The
One key and the second key are paired appearance, and corresponding with access credentials TokenID, can uniquely be determined according to TokenID
Corresponding first key and the second key.In other words, each user and corresponding terminal, correspond to a TokenID with
And first key, the second key.
The business datum that second sending module 303 is used for by access credentials and after first key encryption is sent to equipment
Management server.After have passed through the authentication of device management server, facility management client have received equipment control service
Access credentials and first key that device is fed back, wherein, access credentials can pass through at device management server end
Two keys are encrypted it is also possible to not encrypt.Due to after having initiated service operations request in terminal it is still desirable in follow-up operation
Middle send necessary business datum to device management server, or terminal also has other service operations requests etc. after this
Deng wherein business datum can include terminal parameter, user configuration information etc.;Terminal needs again to device management server
When sending data, now, first have to sent data, business datum can be included, be encrypted, device management server
The first key fed back is carried out, and then, after the completion of encryption, the business datum after access credentials and encryption is sent to equipment
Management server.Access credentials herein are not usually encrypted, because device management server needs by terminal institute
The access credentials sending determining corresponding second key, are then carried out come the business datum after to this encryption by the second key
Deciphering.Due to access credentials correspond to a first key and the second key, then the access being sent by terminal with
Card just can uniquely determine corresponding second key, and business datum is encrypted according to first key again, according to access
Voucher just can smoothly be decrypted to this business datum after determining the second key.It is of course also possible to there are access credentials
Illegal situation, that is, access credentials are in device management server end authentication failed, illustrate that access credentials are not equipment control clothes
The access credentials that business device is generated, this access credentials and expired or inefficacy in other words.In access credentials authentication failed, to setting
Standby management client feedback operation failure, terminates this operation.
After second key is to the successful decryption of this business datum, the business datum after deciphering can be preserved, and
Follow-up device management operations are carried out according to this business datum, by business datum persistence to database, is supplied to follow-up equipment
Management service uses.So far, this business operation flow process completes, and device management server feeds back industry to facility management client
Prompting or instruction that business operation completes, point out user operation success.
If follow-up also have other business operations, directly the second sending module 303 can be passed through, by corresponding service operations
Request is sent to device management server, and service operations request is encrypted by first key, in device management server
By the second secret key decryption, thus parsing service operations request.
Additionally, in the present embodiment, the form of the data interacting between facility management client and device management server,
Can be Json, Protobuffer etc. form, it is possible to reduce non-essential redundant data in interaction every time, improve and hand over
Mutual efficiency and the cleannes of system.
Present embodiments provide a kind of facility management client, including the first sending module, the first receiver module, second
Send module, the first sending module initiates service operations request to device management server, carried terminal in service operations request
Account information, the access credentials and first that the first receiver module receiving device management server obtains according to service operations request
Key, the business datum by access credentials with after the first sweet spring hall encryption for second sending module is sent to equipment control service
Device is it is achieved that to the encryption in device management process, and is encrypted in groups by first key and the second key, is obviously improved
Security.
Second embodiment
Refer to Fig. 4, a kind of composition schematic diagram of device management server that Fig. 4 provides for second embodiment of the invention.
Device management server in the present embodiment, including:
Second receiver module 401, the service operations request sending for receiving device management client, service operations are asked
The account information of middle carried terminal;
Generation module 402, for after passing through to account information authentication, according to service operations ask to generate access credentials,
First key and the second key, wherein access credentials, first key and the second key are in correspondence with each other;
3rd sending module 403, for being sent to facility management client by access credentials and first key;
Business number after 3rd receiver module 404, the access credentials sending for receiving device management client and encryption
According to carrying out service operations process.
Service operations request can include service and enable strategy request and service shutdown strategy request, and wherein, service enables
Strategy request at least includes COS and service enables opportunity.Wherein, COS refers to each equipment Management Function, can
To include:Firmware upgrade, software management, diagnosis and monitoring, connectedness, capacity of equipment, locking and erasing etc..And service enables
Opportunity then refers to above-mentioned equipment Management Function when enabling or close, including:Enable under WIFI, that is, terminal accesses wireless network
Enable during network;Night enables, and can arrange the initial time enabling and end time;Enable when idle, that is, terminal is not grasped by user
Make, situations such as do not have the application that non-default is run to be in operation etc. in terminal;Automatically execute, confirm without user, in service behaviour
It is required by rear just direct execution, user executes after determining, after service operations request is passed through, holds after user confirms again
OK.
The service operations request that second receiver module 401 receiving device management client sends, takes in service operations request
The account information of tape terminal.Wherein, account information at least can include account and password, or, can include account, password with
And equipment unique mark.Wherein, when account is that terminal carries out equipment control by equipment manager, required voucher, is user
Registered in advance and obtain, password is then corresponding with account, and wherein, password can be that clear-text passwords is carried out together with other specification
Value after md5 encryption.Equipment unique mark, then can be equipment I MEI, and each terminal corresponds to an IMEI value, will not go out
Situation about now repeating is that is to say, that a corresponding terminal can be determined by IMEI to unique.Second receiver module 401 exists
Receive carry account information service operations request after it is possible to according to this account information uniquely determine service operations ask
The terminal initiated, to carry out follow-up process.
Generation module 402 is used for after account information authentication is passed through, according to service operations ask to generate access credentials, the
One key and the second key.That is, before generating access credentials, needing to the service operations requesting terminal receiving
Account information is authenticated, and judges whether this account information has permission the relative set carrying out this service operations request.Wherein, this
In authority can include:The account information of terminal to report is legal, and, the service that terminal is asked is allowed.
When account information includes the IMEI value of terminal, also include:Judge whether account, password and this IMEI value mate, i.e. this account
Whether corresponding with IMEI value with password.If authentication do not pass through, illustrate this service operations request be illegal, terminal this
Service operations request can not be passed through, and unsanctioned message can be sent to and initiate service operations request by device management server
Facility management client.The content of prompting can be " account or code error " " it fails to match " etc. signal language.
If authentication is passed through, generation module 402 just requires according to service operations, generation access credentials, first key and the
Two keys.Wherein, between access credentials, first key and the second key in correspondence with each other.Access credentials are follow-up equipment management visitors
Voucher that family end and device management server interact, can be according to server address, use it is also possible to referred to as TokenID
Family information, client ip address, timestamp etc. form;Wherein, the device management server that server address just refers to is in network
In address, user profile is then the account information that terminal is provided, and including account, password, or can also include IMEI, visitor
Family end IP address then refers to facility management client address in a network, and timestamp refers to time mark, can be to use
Family reports the timestamp that the timestamp of service operations request or device management server are authenticated.For generation mould
For block 402, each above-mentioned information can select any number of part as TokenID.
First key and the second key are all the keys for data is carried out with encryption and decryption, and wherein, first key is equipment
Management client carries out the key of encryption and decryption to data, is also message private key, and the second key is device management server to data
Carry out the key of encryption and decryption, be also message public key.When data from device management server sends to facility management client, can
So that by the second key, that is, message public key is encrypted, and is then the i.e. message private key by first key in facility management client
It is decrypted;When data from device management client sends to device management server, first key, i.e. message can be passed through
Private key is encrypted, and then uses the second key in device management server, and that is, message public key is decrypted.First key and second close
Key is paired appearance, and corresponding with access credentials TokenID, can uniquely determine corresponding first key according to TokenID
With the second key.In other words, each user and corresponding terminal, correspond to a TokenID and first key, second
Key.
3rd sending module 403 is used for for access credentials and first key being sent to facility management client.Wherein, access
Voucher can be encrypted it is also possible to not encrypt through the second key.Access credentials are as facility management client again to setting
Standby management server sends voucher during business datum, according to access credentials, device management server can determine that business datum is
No legal, and select second key corresponding with this access credentials that this is solved through the business datum of first key deciphering
Close.
3rd receiver module 404 is used for the business number after access credentials that receiving device management client sends and encryption
According to carrying out service operations process.Due to terminal initiated service operations request after it is still desirable in follow-up operation to
Device management server sends necessary business datum, or terminal also has other service operations requests etc. after this,
Wherein business datum can include terminal parameter, user configuration information etc.;Terminal needs to send out to device management server again
When sending data, now, first have to sent data, business datum can be included, be encrypted, device management server institute
The first key of feedback is carried out, and then, after the completion of encryption, the business datum after access credentials and encryption is sent to equipment pipe
Reason server.Access credentials herein are not usually encrypted, because device management server needs to be sent out by terminal
The access credentials sent, to determine corresponding second key, are then solved to the business datum after this encryption by the second key
Close.Because access credentials correspond to a first key and the second key, then the access credentials being sent by terminal
Just can uniquely determine corresponding second key, business datum is encrypted according to first key again, according to access with
Card just can smoothly be decrypted to this business datum after determining the second key.It is of course also possible to there are access credentials not
Legal situation, that is, access credentials in device management server end authentication failed, illustrate that access credentials are not equipment control services
The access credentials that device is generated, this access credentials and expired or inefficacy in other words.In access credentials authentication failed, to equipment
The failure of management client feedback operation, terminates this operation.
After second key is to the successful decryption of this business datum, the business datum after deciphering can be preserved, and
Follow-up device management operations are carried out according to this business datum, by business datum persistence to database, is supplied to follow-up equipment
Management service uses.So far, this business operation flow process completes, and device management server feeds back industry to facility management client
Prompting or instruction that business operation completes, point out user operation success.
Additionally, in the present embodiment, the form of the data interacting between facility management client and device management server,
Can be Json, Protobuffer etc. form, it is possible to reduce non-essential redundant data in interaction every time, improve and hand over
Mutual efficiency and the cleannes of system.
Present embodiments provide a kind of device management server, including the second receiver module, generation module, the 3rd transmission mould
Block, the 3rd receiver module, the service operations request that the second receiver module receiving device management client sends, service operations are asked
The account information of middle carried terminal, after account information authentication is passed through, generation module generates according to service operations request and accesses
Voucher, first key and the second key, wherein access credentials, first key and the second key in correspondence with each other, the 3rd sending module
Access credentials and first key are sent to facility management client, the 3rd receiver module receiving device management client sends
Business datum after access credentials and encryption, carries out service operations process.Achieve to the encryption in device management process, and logical
Cross first key and the second key is encrypted in groups, be obviously improved security.
3rd embodiment
Refer to Fig. 5, a kind of equipment management system composition schematic diagram that Fig. 5 provides for third embodiment of the invention, including
Device management server and facility management client, device management server includes communicator 2525, processor 2222, storage
Device 2424;Facility management client includes wireless communication unit 110, controller 180.Wherein:Nothing in facility management client
Line communication unit 110 sends service operations request to device management server, and service operations request is the account letter of carried terminal
Breath, the communicator 25 in device management server receives this service operations request, the account letter in service operations are asked
After breath authentication is passed through, ask to generate access credentials, first key and the second key according to service operations, wherein access credentials, the
In correspondence with each other, this access credentials and first key are sent to facility management client by communication unit for one key and the second key,
Access credentials and first key that wireless communication unit 110 receiving device management server in facility management client sends,
Then by first key, business datum is encrypted, and after wireless communication unit 110 is by access credentials and encryption
Business datum is sent to device management server, and the communicator 25 receiving device management client in device management server is sent out
Business datum after the access credentials sent and encryption, carries out service operations process.
Facility management client is generally positioned in terminal, and as the gateway of terminal management, terminal passes through equipment control
Client is interacted with device management server, realizes the equipment Management Function of terminal;Wherein, the equipment control of terminal is permissible
Including:Firmware upgrade, software management, diagnosis and monitoring, connectedness, capacity of equipment, locking and erasing etc. content.
Each above-mentioned equipment Management Function, in the present embodiment all can be used as the part in service operations request;Its
In, these equipment Management Functions belong to service and enable strategy, corresponding thereto, also service shutdown strategy, wherein as clothes
The service of business device operation requests enables that strategy request at least includes COS and service enables opportunity, COS and above-mentioned
Each equipment Management Function, and service enables opportunity and then refers to each above-mentioned equipment Management Function and when enabling or closing, bag
Include:Enable under WIFI, that is, terminal enables when accessing wireless network;Night enables, can arrange the initial time enabling and at the end of
Between;Enable when idle, that is, terminal is not user-operably, situations such as do not have the application that non-default is run to be in operation etc. in terminal;
Automatically execute, confirm without user, just directly executed by rear in service operations request;User executes after confirming, in service behaviour
After passing through as request, execute again after user confirms.
Initiate service operations request to device management server, the account information of carried terminal in service operations request.Its
In, account information at least can include account and password, or, account, password and equipment unique mark can be included.Its
In, when account is that terminal carries out equipment control by device management server, required voucher, is that user is registered in advance and obtain,
Password is then corresponding with account, and wherein, password can be the value after clear-text passwords carries out md5 encryption together with other specification.
Equipment unique mark, then can be equipment I MEI (International Mobile Equipment Identity, international shifting
Dynamic device identification), each terminal corresponds to a mark, is not in the situation of repetition that is to say, that IMEI can be passed through
Value uniquely determines a corresponding terminal.When initiating service operations request, in service operations request, carry account information, with
Ensure that device management server can uniquely determine the corresponding terminal of this service operations request, to carry out follow-up process.
Receiving device management server asks access credentials and the first key obtaining according to service operations.Equipment control
Server after receiving the service operations request that terminal is sent, first, can ask to service operations by device management server
In account information carry out authentication operations, judge whether this account information has permission and carry out accordingly setting of this service operations request
Put.Wherein, authority here can include:The account information of terminal to report is legal, and, the service that terminal is asked is
It is allowed for.When account information includes the IMEI value of terminal, also include:Judge whether account, password and this IMEI value mate,
I.e. whether this account and password are corresponding with IMEI value.
If authentication is not passed through it is clear that device management server will terminate the service operations request of this terminal;And such as
Fruit authentication is passed through, and represents that the account information that terminal provides meets corresponding condition, then, device management server is just according to end
Hold initiated service operations request, generate and ask corresponding access credentials, first key and the second key with this service operations,
Wherein, access credentials, first key, between the second key in correspondence with each other.Access credentials are that subsequent terminal will be taken with equipment control
The business voucher that interacts of device, can be according to server address, user profile, client ip ground it is also possible to referred to as TokenID
Location, timestamp etc. form;Wherein, the device management server that server address just refers to address in a network, user profile
It is then the account information that terminal is provided, including account, password, or IMEI can also be included, client ip address then refers to
It is facility management client address in a network, timestamp refers to time mark, can be that reporting of user service operations please
The timestamp that the timestamp asked or device management server are authenticated.For device management server, above-mentioned
Each information can select any number of part as TokenID.
First key and the second key are all the keys for data is carried out with encryption and decryption, and wherein, first key is equipment
Management client carries out the key of encryption and decryption it is also possible to be message private key to data, and the second key is device management server pair
Data carries out the key of encryption and decryption it is also possible to be message public key.That is, when data from device management server sends to setting
During standby management client, the second key can be passed through, that is, message public key is encrypted, in facility management client then with first close
Key, that is, message private key be decrypted;When data from device management client sends to device management server, can be by the
One key, that is, message private key be encrypted, then use the second key in device management server, that is, message public key is decrypted.The
One key and the second key are paired appearance, and corresponding with access credentials TokenID, can uniquely be determined according to TokenID
Corresponding first key and the second key.In other words, each user and corresponding terminal, correspond to a TokenID with
And first key, the second key.
Business datum by access credentials and after first key encryption is sent to device management server.Have passed through and set
After the authentication of standby management server, facility management client have received the access credentials that device management server fed back with
And first key, wherein, access credentials can have been passed through the second key at device management server end and encrypt it is also possible to be not added with
Close.Due to having initiated after service operations are asked it is still desirable to send out to device management server in follow-up operation in terminal
Send necessary business datum, or terminal also has other service operations requests etc. after this, wherein business datum is permissible
Including terminal parameter, user configuration information etc.;When terminal needs again to device management server transmission data, now, first
First to can include business datum, be encrypted to sent data, the first key that device management server is fed back is entered
OK, then, after the completion of encryption, the business datum after access credentials and encryption is sent to device management server.Herein
Access credentials are not usually encrypted, because device management server needs the access credentials being sent by terminal Lai really
Fixed corresponding second key, is then decrypted to the business datum after this encryption by the second key.Because one accesses
Voucher corresponds to a first key and the second key, then the access credentials being sent by terminal just can uniquely determine phase
The second key answered, business datum is encrypted according to first key again, according to access credentials determine the second key it
Just can smoothly this business datum be decrypted afterwards.It is of course also possible to there is the illegal situation of access credentials, that is, access
Voucher in device management server end authentication failed, illustrate access credentials be not the access that generated of device management server with
Card, this access credentials and expired or inefficacy in other words.In access credentials authentication failed, feed back behaviour to facility management client
Fail, terminate this operation.
After second key is to the successful decryption of this business datum, the business datum after deciphering can be preserved, and
Follow-up device management operations are carried out according to this business datum, by business datum persistence to database, is supplied to follow-up equipment
Management service uses.So far, this business operation flow process completes, and device management server feeds back industry to facility management client
Prompting or instruction that business operation completes, point out user operation success.
If follow-up also have other business operations, directly wireless communication unit 110 can be passed through, by corresponding service operations
Request is sent to device management server, and service operations request is encrypted by first key, in device management server
By the second secret key decryption, thus parsing service operations request.
Additionally, in the present embodiment, the form of the data interacting between facility management client and device management server,
Can be Json, Protobuffer etc. form, it is possible to reduce non-essential redundant data in interaction every time, improve and hand over
Mutual efficiency and the cleannes of system.
Fourth embodiment
Refer to Fig. 6, a kind of device management method flow chart that Fig. 6 provides for fourth embodiment of the invention, including:
S601, to device management server initiate service operations request, service operations request in carried terminal account letter
Breath;
S602, receiving device management server ask access credentials and the first key obtaining according to service operations;
S603, the business datum by access credentials and after first key encryption are sent to device management server.
Facility management client is generally positioned in terminal, and as the gateway of terminal management, terminal passes through equipment control
Client is interacted with device management server, realizes the equipment Management Function of terminal;Wherein, the equipment control of terminal is permissible
Including:Firmware upgrade, software management, diagnosis and monitoring, connectedness, capacity of equipment, locking and erasing etc. content.
Each above-mentioned equipment Management Function, in the present embodiment all can be used as the part in service operations request;Its
In, these equipment Management Functions belong to service and enable strategy, corresponding thereto, also service shutdown strategy, wherein as clothes
The service of business device operation requests enables that strategy request at least includes COS and service enables opportunity, COS and above-mentioned
Each equipment Management Function, and service enables opportunity and then refers to each above-mentioned equipment Management Function and when enabling or closing, bag
Include:Enable under WIFI, that is, terminal enables when accessing wireless network;Night enables, can arrange the initial time enabling and at the end of
Between;Enable when idle, that is, terminal is not user-operably, situations such as do not have the application that non-default is run to be in operation etc. in terminal;
Automatically execute, confirm without user, just directly executed by rear in service operations request;User executes after confirming, in service behaviour
After passing through as request, execute again after user confirms.
In S601, initiate service operations request to device management server, the account of carried terminal in service operations request
Information.Wherein, account information at least can include account and password, or, account, password and equipment can be included and uniquely mark
Know.Wherein, when account is that terminal carries out equipment control by device management server, required voucher, is that user is registered in advance
And obtain, password is then corresponding with account, and wherein, password can be after clear-text passwords carries out md5 encryption together with other specification
Value.Equipment unique mark, then can be equipment I MEI (International Mobile Equipment Identity, state
Border mobile device mark), each terminal corresponds to a mark, is not in the situation of repetition that is to say, that can pass through
IMEI value uniquely determines a corresponding terminal.When initiating service operations request, service operations request carries account letter
Breath, to ensure that device management server can uniquely determine the corresponding terminal of this service operations request, to carry out follow-up
Process.
In S602, receiving device management server asks access credentials and the first key obtaining according to service operations.
, after receiving the service operations request that terminal is sent, first, device management server can be to service for device management server
Account information in operation requests carries out authentication operations, judges whether this account information has permission and carries out this service operations request
Relative set.Wherein, authority here can include:The account information of terminal to report is legal, and, terminal is asked
Service is allowed.When account information includes the IMEI value of terminal, also include:Judge that account, password and this IMEI value are
No coupling, that is, whether this account and password are corresponding with IMEI value.
If authentication is not passed through it is clear that device management server will terminate the service operations request of this terminal;And such as
Fruit authentication is passed through, and represents that the account information that terminal provides meets corresponding condition, then, device management server is just according to end
Hold initiated service operations request, generate and ask corresponding access credentials, first key and the second key with this service operations,
Wherein, access credentials, first key, between the second key in correspondence with each other.Access credentials are that subsequent terminal will be taken with equipment control
The business voucher that interacts of device, can be according to server address, user profile, client ip ground it is also possible to referred to as TokenID
Location, timestamp etc. form;Wherein, the device management server that server address just refers to address in a network, user profile
It is then the account information that terminal is provided, including account, password, or IMEI can also be included, client ip address then refers to
It is facility management client address in a network, timestamp refers to time mark, can be that reporting of user service operations please
The timestamp that the timestamp asked or device management server are authenticated.For device management server, above-mentioned
Each information can select any number of part as TokenID.
First key and the second key are all the keys for data is carried out with encryption and decryption, and wherein, first key is equipment
Management client carries out the key of encryption and decryption it is also possible to be message private key to data, and the second key is device management server pair
Data carries out the key of encryption and decryption it is also possible to be message public key.That is, when data from device management server sends to setting
During standby management client, the second key can be passed through, that is, message public key is encrypted, in facility management client then with first close
Key, that is, message private key be decrypted;When data from device management client sends to device management server, can be by the
One key, that is, message private key be encrypted, then use the second key in device management server, that is, message public key is decrypted.The
One key and the second key are paired appearance, and corresponding with access credentials TokenID, can uniquely be determined according to TokenID
Corresponding first key and the second key.In other words, each user and corresponding terminal, correspond to a TokenID with
And first key, the second key.
In S603, the business datum by access credentials and after first key encryption is sent to device management server.
After have passed through the authentication of device management server, facility management client have received the visit that device management server is fed back
Ask voucher and first key, wherein, access credentials can pass through the second key encryption at device management server end,
Can not encrypt.Due to after having initiated service operations request in terminal it is still desirable to equipment control in follow-up operation
Server sends necessary business datum, or terminal also has other service operations requests etc., wherein business after this
Data can include terminal parameter, user configuration information etc.;When terminal needs again to device management server transmission data,
Now, first have to sent data, business datum can be included, be encrypted, device management server fed back
One key is carried out, and then, after the completion of encryption, the business datum after access credentials and encryption is sent to equipment control service
Device.Access credentials herein are not usually encrypted, because device management server needs the visit being sent by terminal
Ask voucher to determine corresponding second key, then by the second key, the business datum after this encryption is decrypted.By
Correspond to a first key and the second key in access credentials, then the access credentials being sent by terminal are just permissible
Uniquely determine corresponding second key, business datum is encrypted according to first key again, is determining according to access credentials
Just can smoothly this business datum be decrypted after second key.It is of course also possible to it is illegal to there are access credentials
Situation, that is, access credentials in device management server end authentication failed, illustrate that access credentials are not that device management server is given birth to
The access credentials becoming, this access credentials and expired or inefficacy in other words.In access credentials authentication failed, to equipment control visitor
The feedback operation failure of family end, terminates this operation.
After second key is to the successful decryption of this business datum, the business datum after deciphering can be preserved, and
Follow-up device management operations are carried out according to this business datum, by business datum persistence to database, is supplied to follow-up equipment
Management service uses.So far, this business operation flow process completes, and device management server feeds back industry to facility management client
Prompting or instruction that business operation completes, point out user operation success.
If follow-up also have other business operations, directly corresponding service operations request can be sent to equipment control clothes
Business device, and service operations request is encrypted by first key, pass through the second secret key decryption in device management server, thus
Parse service operations request.
Additionally, in the present embodiment, the form of the data interacting between facility management client and device management server,
Can be Json, Protobuffer etc. form, it is possible to reduce non-essential redundant data in interaction every time, improve and hand over
Mutual efficiency and the cleannes of system.
Present embodiments provide a kind of device management method, initiate service operations request including to device management server,
The account information of carried terminal in service operations request, the access that receiving device management server obtains according to service operations request
Voucher and first key, the business datum by access credentials and after the first sweet spring hall encryption is sent to equipment control service
Device is it is achieved that to the encryption in device management process, and is encrypted in groups by first key and the second key, is obviously improved
Security.
5th embodiment
Refer to Fig. 7, a kind of device management method flow chart that Fig. 7 provides for fifth embodiment of the invention, including:
The service operations request that S701, receiving device management client send, the account of carried terminal in service operations request
Number information;
S702, after account information authentication is passed through, ask to generate access credentials, first key and the according to service operations
Two keys, wherein access credentials, first key and the second key are in correspondence with each other;
S703, access credentials and first key are sent to facility management client;
Business datum after S704, the access credentials of receiving device management client transmission and encryption, carries out service operations
Process.
Service operations request can include service and enable strategy request and service shutdown strategy request, and wherein, service enables
Strategy request at least includes COS and service enables opportunity.Wherein, COS refers to each equipment Management Function, can
To include:Firmware upgrade, software management, diagnosis and monitoring, connectedness, capacity of equipment, locking and erasing etc..And service enables
Opportunity then refers to above-mentioned equipment Management Function when enabling or close, including:Enable under WIFI, that is, terminal accesses wireless network
Enable during network;Night enables, and can arrange the initial time enabling and end time;Enable when idle, that is, terminal is not grasped by user
Make, situations such as do not have the application that non-default is run to be in operation etc. in terminal;Automatically execute, confirm without user, in service behaviour
It is required by rear just direct execution, user executes after determining, after service operations request is passed through, holds after user confirms again
OK.
In S701, the service operations request that receiving device management client sends, carried terminal in service operations request
Account information.Wherein, account information at least can include account and password, or, account, password and equipment can be included only
One mark.Wherein, when account is that terminal carries out equipment control by equipment manager, required voucher, is that user is registered in advance
And obtain, password is then corresponding with account, and wherein, password can be after clear-text passwords carries out md5 encryption together with other specification
Value.Equipment unique mark, then can be equipment I MEI, and each terminal corresponds to an IMEI value, is not in repetition
Situation is that is to say, that a corresponding terminal can be determined by IMEI to unique.Receiving the clothes carrying account information
It is possible to the terminal that service operations request is initiated uniquely is determined according to this account information after business operation requests, to carry out follow-up
Process.
In S702, after account information authentication is passed through, according to service operations ask generate access credentials, first key and
Second key.That is, before generating access credentials, needing the account information to the service operations requesting terminal receiving
Authenticated, judged whether this account information has permission the relative set carrying out this service operations request.Wherein, authority here
Can include:The account information of terminal to report is legal, and, the service that terminal is asked is allowed.In account letter
When breath includes the IMEI value of terminal, also include:Judge whether account, password and this IMEI value mate, that is, this account and password are
No corresponding with IMEI value.If authentication is not passed through, illustrate that this service operations request is illegal, this service operations of terminal
Request can not be passed through, and unsanctioned message can be sent to the equipment control initiating service operations request by device management server
Client.The content of prompting can be " account or code error " " it fails to match " etc. signal language.
If authentication is passed through, just required according to service operations, generate access credentials, first key and the second key.Wherein,
Between access credentials, first key and the second key in correspondence with each other.Access credentials are follow-up equipment management client and equipment pipe
The reason voucher that interacts of server, can be according to server address, user profile, client it is also possible to referred to as TokenID
IP address, timestamp etc. form;Wherein, the device management server that server address just refers to address in a network, user
Information is then the account information that terminal is provided, and including account, password, or can also include IMEI, client ip address is then
Refer to facility management client address in a network, timestamp refers to time mark, can be reporting of user service behaviour
Make the timestamp that the timestamp asked or device management server are authenticated.Each above-mentioned information can select
Any number of part as TokenID.
First key and the second key are all the keys for data is carried out with encryption and decryption, and wherein, first key is equipment
Management client carries out the key of encryption and decryption to data, is also message private key, and the second key is device management server to data
Carry out the key of encryption and decryption, be also message public key.When data from device management server sends to facility management client, can
So that by the second key, that is, message public key is encrypted, and is then the i.e. message private key by first key in facility management client
It is decrypted;When data from device management client sends to device management server, first key, i.e. message can be passed through
Private key is encrypted, and then uses the second key in device management server, and that is, message public key is decrypted.First key and second close
Key is paired appearance, and corresponding with access credentials TokenID, can uniquely determine corresponding first key according to TokenID
With the second key.In other words, each user and corresponding terminal, correspond to a TokenID and first key, second
Key.
In S703, access credentials and first key are sent to facility management client.Wherein, access credentials can be passed through
Second key is encrypted it is also possible to not encrypt.Access credentials are as facility management client again to device management server
Send voucher during business datum, according to access credentials, device management server can determine whether business datum is legal, and
Select second key corresponding with this access credentials that this is decrypted through the business datum of first key deciphering.
In S704, receiving device management client send access credentials and encryption after business datum, carry out service behaviour
Deal with.Due to after having initiated service operations request in terminal it is still desirable to equipment control service in follow-up operation
Device sends necessary business datum, or terminal also has other service operations requests etc., wherein business datum after this
Terminal parameter, user configuration information etc. can be included;When terminal needs again to device management server transmission data, this
When, first have to sent data, business datum can be included, be encrypted, device management server fed back first
Key is carried out, and then, after the completion of encryption, the business datum after access credentials and encryption is sent to device management server.
Access credentials herein are not usually encrypted because device management server need the access that sent by terminal with
Card, to determine corresponding second key, is then decrypted to the business datum after this encryption by the second key.Due to one
Individual access credentials correspond to a first key and the second key, then the access credentials being sent by terminal just can be unique
Determine corresponding second key, business datum is encrypted according to first key again, determine second according to access credentials
Just can smoothly this business datum be decrypted after key.It is of course also possible to there is the illegal situation of access credentials,
I.e. access credentials, in device management server end authentication failed, illustrate that access credentials are not the visits that device management server is generated
Ask voucher, in other words this access credentials and expired or inefficacy.In access credentials authentication failed, anti-to facility management client
Feedback operation failure, terminates this operation.
After second key is to the successful decryption of this business datum, the business datum after deciphering can be preserved, and
Follow-up device management operations are carried out according to this business datum, by business datum persistence to database, is supplied to follow-up equipment
Management service uses.So far, this business operation flow process completes, and device management server feeds back industry to facility management client
Prompting or instruction that business operation completes, point out user operation success.
Additionally, in the present embodiment, the form of the data interacting between facility management client and device management server,
Can be Json, Protobuffer etc. form, it is possible to reduce non-essential redundant data in interaction every time, improve and hand over
Mutual efficiency and the cleannes of system.
Present embodiments provide a kind of device management method, the service operations sending including receiving device management client please
Ask, in service operations request, the account information of carried terminal, after account information authentication is passed through, please seek survival according to service operations
Become access credentials, first key and the second key, wherein access credentials, first key and the second key in correspondence with each other, will access
Voucher and first key are sent to facility management client, after the access credentials that receiving device management client sends and encryption
Business datum, carries out service operations process.Achieve to the encryption in device management process, and close by first key and second
Key is encrypted in groups, has been obviously improved security.
It should be noted that herein, term " inclusion ", "comprising" or its any other variant are intended to non-row
The comprising of his property, so that including a series of process of key elements, method, article or device not only include those key elements, and
And also include other key elements of being not expressly set out, or also include intrinsic for this process, method, article or device institute
Key element.In the absence of more restrictions, the key element being limited by sentence "including a ..." is it is not excluded that including being somebody's turn to do
Also there is other identical element in the process of key element, method, article or device.
The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can be realized by the mode of software plus necessary general hardware platform naturally it is also possible to pass through hardware, but in many cases
The former is more preferably embodiment.Based on such understanding, technical scheme is substantially done to prior art in other words
Go out partly can embodying in the form of software product of contribution, this computer software product is stored in a storage medium
In (as ROM/RAM, magnetic disc, CD), including some instructions with so that a station terminal equipment (can be mobile phone, computer, clothes
Business device, air-conditioner, or network equipment etc.) method described in execution each embodiment of the present invention.
Above in conjunction with accompanying drawing, embodiments of the invention are described, but the invention is not limited in above-mentioned concrete
Embodiment, above-mentioned specific embodiment is only schematically, rather than restricted, those of ordinary skill in the art
Under the enlightenment of the present invention, in the case of without departing from present inventive concept and scope of the claimed protection, also can make a lot
Form, these belong within the protection of the present invention.
Claims (10)
1. a kind of facility management client is it is characterised in that include:
First sending module, for initiating service operations request to device management server, carries in described service operations request
The account information of terminal;
First receiver module, for receiving the access credentials that described device management server obtains according to described service operations request
And first key;
Second sending module, is sent to institute for the business datum by described access credentials and after the encryption of described first key
State device management server.
2. facility management client as claimed in claim 1 is it is characterised in that described service operations request includes service and enables
Strategy request or service shutdown strategy request;Described service enables strategy request and at least includes COS and when service enables
Machine.
3. facility management client as claimed in claim 1 is it is characterised in that described account information at least includes account and close
Code;Or, described account information includes account, password and equipment unique mark.
4. a kind of device management server is it is characterised in that include:
Second receiver module, the service operations request sending for receiving device management client, in described service operations request
The account information of carried terminal;
Generation module, for described account information authentication pass through after, according to described service operations ask generate access credentials,
First key and the second key, wherein said access credentials, first key and the second key are in correspondence with each other;
3rd sending module, for being sent to described facility management client by described access credentials and first key;
3rd receiver module, for the business datum after receiving the access credentials of described facility management client transmission and encrypting,
Carry out service operations process.
5. device management server as claimed in claim 4 is it is characterised in that described 3rd receiver module is used for:Receive institute
Parameter information after stating the access credentials of device management server transmission and encrypting;Judge whether described access credentials are legal;?
After judging that described access credentials are legal, search second key corresponding with described access credentials to the business number after described encryption
According to being decrypted.
6. a kind of device management method, including:
Initiate service operations request to device management server, the account information of carried terminal in described service operations request;
Receive access credentials and the first key that described device management server asks to obtain according to described service operations;
Business datum by described access credentials and after the encryption of described first key is sent to described device management server.
7. device management method as claimed in claim 6 is it is characterised in that described service operations request includes service and enables plan
Slightly ask or service shutdown strategy request;Described service enables that strategy request at least includes COS and service enables opportunity.
8. device management method as claimed in claim 6 is it is characterised in that described account information at least includes account and close
Code;Or, described account information includes account, password and equipment unique mark.
9. a kind of device management method, including:
The service operations request that receiving device management client sends, the account letter of carried terminal in described service operations request
Breath;
After described account information authentication is passed through, ask to generate access credentials, first key and the according to described service operations
Two keys, wherein said access credentials, first key and the second key are in correspondence with each other;
Described access credentials and described first key are sent to described facility management client;
Business datum after the access credentials of receiving device management client transmission and encryption, carries out service operations process.
10. device management method as claimed in claim 9 it is characterised in that described receiving device management client send
Business datum after access credentials and encryption, carries out service operations and processes inclusion:Receive what described device management server sent
Parameter information after access credentials and encryption;Judge whether access credentials are legal;After judging that described access credentials are legal, search
Second key corresponding with described access credentials, is decrypted to the business datum after described encryption.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610825976.1A CN106411580A (en) | 2016-09-14 | 2016-09-14 | Device management client and server, and device management methods |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610825976.1A CN106411580A (en) | 2016-09-14 | 2016-09-14 | Device management client and server, and device management methods |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106411580A true CN106411580A (en) | 2017-02-15 |
Family
ID=57998010
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610825976.1A Pending CN106411580A (en) | 2016-09-14 | 2016-09-14 | Device management client and server, and device management methods |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106411580A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106919828A (en) * | 2017-04-20 | 2017-07-04 | 北京蓝海华业科技股份有限公司 | A kind of IDC machine room intelligents management system |
CN107505921A (en) * | 2017-08-04 | 2017-12-22 | 深圳市盛路物联通讯技术有限公司 | A kind of industrial equipment maintaining method and system |
CN112291178A (en) * | 2019-07-22 | 2021-01-29 | 京东方科技集团股份有限公司 | Service providing method and device and electronic equipment |
CN114465806A (en) * | 2022-02-21 | 2022-05-10 | 深圳市世强元件网络有限公司 | Multi-party data access security management method and system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8613070B1 (en) * | 2012-10-12 | 2013-12-17 | Citrix Systems, Inc. | Single sign-on access in an orchestration framework for connected devices |
CN104283680A (en) * | 2013-07-05 | 2015-01-14 | 腾讯科技(深圳)有限公司 | Data transmission method, client side, server and system |
CN104811484A (en) * | 2015-04-09 | 2015-07-29 | 努比亚技术有限公司 | FOTA (firmware over-the-air) upgrading method and device |
CN104838630A (en) * | 2012-10-10 | 2015-08-12 | 思杰系统有限公司 | Policy-based application management |
CN105743916A (en) * | 2016-04-03 | 2016-07-06 | 北京动石科技有限公司 | Information processing method, system and device for enhancing access security |
-
2016
- 2016-09-14 CN CN201610825976.1A patent/CN106411580A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104838630A (en) * | 2012-10-10 | 2015-08-12 | 思杰系统有限公司 | Policy-based application management |
US8613070B1 (en) * | 2012-10-12 | 2013-12-17 | Citrix Systems, Inc. | Single sign-on access in an orchestration framework for connected devices |
CN104283680A (en) * | 2013-07-05 | 2015-01-14 | 腾讯科技(深圳)有限公司 | Data transmission method, client side, server and system |
CN104811484A (en) * | 2015-04-09 | 2015-07-29 | 努比亚技术有限公司 | FOTA (firmware over-the-air) upgrading method and device |
CN105743916A (en) * | 2016-04-03 | 2016-07-06 | 北京动石科技有限公司 | Information processing method, system and device for enhancing access security |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106919828A (en) * | 2017-04-20 | 2017-07-04 | 北京蓝海华业科技股份有限公司 | A kind of IDC machine room intelligents management system |
CN107505921A (en) * | 2017-08-04 | 2017-12-22 | 深圳市盛路物联通讯技术有限公司 | A kind of industrial equipment maintaining method and system |
CN112291178A (en) * | 2019-07-22 | 2021-01-29 | 京东方科技集团股份有限公司 | Service providing method and device and electronic equipment |
CN112291178B (en) * | 2019-07-22 | 2024-03-22 | 京东方科技集团股份有限公司 | Service providing method and device and electronic equipment |
CN114465806A (en) * | 2022-02-21 | 2022-05-10 | 深圳市世强元件网络有限公司 | Multi-party data access security management method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR102598613B1 (en) | System and method for providing vehicle information based on personal certification and vehicle certification | |
CN111475841B (en) | Access control method, related device, equipment, system and storage medium | |
KR102223609B1 (en) | Content sharing method and apparatus | |
US9325683B2 (en) | Mobile application management framework | |
KR102226411B1 (en) | Electronic device and method for managing reenrollment | |
CN109076067B (en) | System and method for authenticating a user for secure data access using a multiparty authentication system | |
US20100070769A1 (en) | Log acquisition system, log collection terminal, log acquisition terminal, and log acquisition method and program using the same system and terminals | |
CN110300083B (en) | Method, terminal and verification server for acquiring identity information | |
CN104915601A (en) | System and method of encrypting folder in device | |
CN105848134A (en) | Virtual SIM (Subscriber Identity Module) card management device, communication terminal, access control method and management method | |
US20200410795A1 (en) | Smart management device, lock, and identification method | |
CN104765994A (en) | User identity recognition method and device | |
CN104919778A (en) | Providing an encrypted account credential from a first device to a second device | |
CN107145552A (en) | Page access method, equipment and computer-readable storage medium | |
KR20130017507A (en) | Mobile terminal and payment method for mobile terminal | |
CN106411580A (en) | Device management client and server, and device management methods | |
US11943256B2 (en) | Link detection method and apparatus, electronic device, and storage medium | |
CN103914520B (en) | Data query method, terminal device and server | |
US20180035293A1 (en) | Authenticating a device utilizing a secure display | |
CN110795737A (en) | Method and terminal equipment for upgrading service application range of electronic identity card | |
CN106453802A (en) | Cipher verification method and device, and terminal | |
US20160381552A1 (en) | Handling risk events for a mobile device | |
KR102483830B1 (en) | Electronic apparatus and operating method thereof | |
US10896263B2 (en) | Method and system for securely controlling access to data | |
CN105095705B (en) | A kind of information processing method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170215 |