CN111147256A - Authentication method and device - Google Patents
Authentication method and device Download PDFInfo
- Publication number
- CN111147256A CN111147256A CN201911367427.4A CN201911367427A CN111147256A CN 111147256 A CN111147256 A CN 111147256A CN 201911367427 A CN201911367427 A CN 201911367427A CN 111147256 A CN111147256 A CN 111147256A
- Authority
- CN
- China
- Prior art keywords
- credit
- authentication
- equipment
- operation request
- executing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
Abstract
The embodiment of the application relates to an authentication method, which is applied to first equipment, wherein the first equipment and second equipment are connected in an equipment family, and the method comprises the following steps: receiving an operation request sent by second equipment; determining a credit rating of the second device; when the credit of the second device is greater than or equal to the credit threshold, executing the operation request; and authenticating the second device in the process of executing the operation request; and updating the credit rating of the second equipment according to the authentication result of the second equipment. By determining the credit degree of the equipment, when the credit degree of the equipment is higher, the connection can be established and the data transmission is carried out, and the authentication is carried out simultaneously in the data transmission process, so that the whole time delay expense of the data transmission and the authentication is saved, and the authentication efficiency is improved. The equipment is still authenticated, so that the safety of data transmission is guaranteed.
Description
Technical Field
The application relates to the field of computers, in particular to an authentication method and device for simplifying an equipment family in the Internet of things.
Background
With the development of computer networks, internet-based things-things and person-things communication network technology, namely internet of things, has also been rapidly developed. However, with the development of the internet of things, a large number of security authentication and certification problems exist in the process of the internet of things. In order to prevent a user without authority from accessing a system or prevent data of a wireless interface from being stolen and the like, authentication and authentication are performed when all devices in the Internet of things are interconnected and communicated, so that unauthorized user access is prevented, and safety is guaranteed. However, in the process of device authentication, operations such as authentication, etc. need to be performed one by one, which is very complicated and takes too long time, so that the efficiency of interconnection and communication between devices becomes very low.
In some existing schemes, to ensure security, most of the existing schemes need to perform round trip time (rtt) for authentication before a connection is successfully established. As shown in fig. 1, authentication needs to be performed through rtt several times, for example, n to m times, before data request and response are performed. Therefore, currently, a plurality of rtts must be passed, and corresponding data transmission can be performed only after the authentication passes, which obviously causes a great amount of time waste. It can be seen that the existing solutions do not recognize the relationship between the device families, so that many unnecessary operations are added, and the authentication efficiency is very low.
Disclosure of Invention
The embodiment of the application provides an authentication method and an authentication device, and by detecting the credit degree of equipment, when the equipment needs to transmit data, the equipment with higher credit degree can be subjected to elastic post-authentication, so that the time of overall data transmission is saved, the authentication efficiency is improved, and the safety of data transmission is ensured.
In a first aspect, an authentication method is provided, where the method is applied to a first device, the first device and a second device are connected in a device family, and the method includes: receiving an operation request sent by second equipment; determining a credit rating of the second device; when the credit of the second device is greater than or equal to the credit threshold, executing the operation request; and authenticating the second device in the process of executing the operation request; and updating the credit rating of the second equipment according to the authentication result of the second equipment.
In one possible embodiment, the method further comprises: when the credit degree of the second equipment is smaller than the credit degree threshold value, authenticating the second equipment; and updating the credit rating of the second equipment according to the authentication result of the second equipment.
In one possible embodiment, updating the credit rating of the second device according to the authentication result of the second device includes: when the authentication result of the second equipment is passed, executing the operation request; the credit rating of the second device increases.
In one possible embodiment, updating the credit rating of the second device according to the authentication result of the second device includes: when the authentication result of the second equipment is failed, stopping executing the operation request; the credit rating of the second device decreases.
In one possible embodiment, the credit is determined based on characteristics of the operation request, characteristics of the second device, environmental characteristics of the second device, and resource characteristics of the second device.
In one possible embodiment, the characteristics of the operation request include: security requirement characteristics of the operation request.
In one possible embodiment, the device family further includes a third device, and the third device is another device which is less than the distance threshold from the second device; the features of the second device include: one or more of a credit rating of the third device, first historical pairing information of the second device with the first device, and second historical pairing information of the second device.
In one possible embodiment, the environmental characteristics of the second device include: one or more of a network environment of the second device, a geographic location of the second device, a time at which the second device sends the operation request.
In one possible embodiment, the resource characteristics of the second device include: the number of successful authentication of the second device, the number of failed authentication of the second device, the number of authentication exemption of the second device, and the time length of authentication exemption of the second device.
In a second aspect, an authentication device is provided, where the authentication device is applied to a terminal device, the terminal device includes a first device and a second device, the first device and the second device are connected in a device family, and the authentication device includes: a receiver, a processor, and a memory, wherein the processor is coupled with the memory; the receiver is used for receiving an operation request sent by the second equipment; a processor for reading and executing instructions in the memory; executing the instructions when the processor is running, such that the processor is further operable to: determining a credit rating of the second device; when the credit of the second device is greater than or equal to the credit threshold, executing the operation request; and authenticating the second device in the process of executing the operation request; and updating the credit rating of the second equipment according to the authentication result of the second equipment.
In one possible embodiment, the processor is further configured to: when the credit degree of the second equipment is smaller than the credit degree threshold value, authenticating the second equipment; and updating the credit rating of the second equipment according to the authentication result of the second equipment.
In one possible embodiment, the processor is further configured to: when the authentication result of the second equipment is passed, executing the operation request; the credit rating of the second device increases.
In one possible embodiment, the processor is further configured to: when the authentication result of the second equipment is failed, stopping executing the operation request; the credit rating of the second device decreases.
In one possible embodiment, the processor is further configured to: and determining the credit degree according to the characteristics of the operation request, the characteristics of the second device, the environmental characteristics of the second device and the resource characteristics of the second device.
In one possible embodiment, the characteristics of the operation request include: security requirement characteristics of the operation request.
In one possible embodiment, the terminal device further includes a third device, where the third device is connected to the first device and the second device in a device family, and the third device is another terminal device whose distance from the second device is smaller than a distance threshold; the features of the second device include: one or more of a credit rating of the third device, first historical pairing information of the second device with the first device, and second historical pairing information of the second device.
In one possible embodiment, the environmental characteristics of the second device include: one or more of a network environment of the second device, a geographic location of the second device, a time at which the second device sends the operation request.
In one possible embodiment, the resource characteristics of the second device include: the number of successful authentication of the second device, the number of failed authentication of the second device, the number of authentication exemption of the second device, and the time length of authentication exemption of the second device.
In a third aspect, a computer-readable storage medium is provided, having instructions stored thereon, wherein the instructions, when executed on a terminal, cause the terminal to perform the method of the first aspect.
In a fourth aspect, there is provided a computer program device comprising instructions which, when run on a terminal, cause the terminal to perform the method of the first aspect.
The application discloses an application display continuing method and device, wherein the credit degree of equipment is determined, when the credit degree of the equipment is higher, connection can be established firstly, data transmission is carried out, and authentication is carried out simultaneously in the data transmission process, so that the whole time delay overhead of data transmission and authentication is saved, and the authentication efficiency is improved. The equipment is still authenticated, so that the safety of data transmission is guaranteed.
Drawings
FIG. 1 is a diagram illustrating conventional authentication and authorization;
fig. 2 is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 3 is a schematic diagram of authentication provided in an embodiment of the present application;
fig. 4 is a schematic diagram of another authentication provided in the embodiment of the present application;
fig. 5 is a schematic diagram of another authentication provided in the embodiment of the present application;
fig. 6 is a flowchart of an authentication method according to an embodiment of the present application;
fig. 7 is a flowchart of another authentication method provided in the embodiment of the present application;
fig. 8 is a schematic diagram of another authentication provided in an embodiment of the present application;
fig. 9 is a schematic flowchart of an authentication framework according to an embodiment of the present application;
fig. 10 is a schematic diagram of a network topology according to an embodiment of the present application;
fig. 11 is a flowchart of another authentication and authorization provided by an embodiment of the present application;
fig. 12 is a schematic diagram of an authentication device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
The authentication method is mainly applied to the equipment family in the Internet of things, and the authentication process is carried out when data communication is carried out among all the equipment. As shown in fig. 2, it can be seen that the application scenario includes a plurality of intelligent devices in the internet of things, and the intelligent devices related in the application may be any intelligent terminal devices having a processing function, such as a mobile phone, a smart television, a smart air conditioner, a smart sound box, a floor sweeping robot, and a smart watch, which is not limited herein. As can be seen from fig. 2, the smart devices such as the mobile phone, the television, the air conditioner, the sound box, and the sweeping robot are all located in the same device family. Wherein the smart devices in the device family may communicate with any other intelligence in the device family. However, in each communication, in order to ensure the security of the data request and the response, authentication is required to be performed first, and the data request and the response can be performed only after the authentication is passed.
In some embodiments, the overall authentication process is optimized, such as an authentication process diagram shown in fig. 3. It can be seen that n '-m' authentication authentications are also required before data request and response are performed. The scheme reduces the flow of authentication and authentication properly, reduces the round trip times of the authentication and authentication, and improves the authentication efficiency. However, in this scheme, although the number of authentication/authentication is reduced from n to m to n 'to m', the improvement efficiency is still limited, and the efficiency is only improved by a small margin.
In other aspects, another authentication scheme is shown, for example, in fig. 4. When the devices are connected, the data request and the information related to the authentication are sent at the same time. Thereby reducing the communication round trip delay overhead caused by authentication. However, in this scheme, by carrying the authentication and authorization information during the connection process, the delay overhead of authentication and authorization is saved for the connection with successful authentication. However, for those connections that fail to authenticate, not only the communication bandwidth resource occupied by the data request message is increased, but also the waiting time for user authentication is increased, and a large amount of redundant authentication information and transmission data are introduced.
In other schemes, for example, fig. 5 shows another schematic diagram of authentication and authorization. The operation of authentication is directly avoided, so that the equipment is directly connected, and data request and corresponding are carried out. It can be seen that there is no outgoing message of authentication and authorization in fig. 5, and only there are data request and response, so that the communication round-trip delay overhead related to authentication and authorization is greatly saved. However, this scheme eliminates the process of authentication before making a data request and response. Although the communication round-trip delay cost of authentication is greatly saved, a great potential safety hazard is introduced. For the operation of not performing authentication at all, unsafe equipment access will be caused, so that the safety of information cannot be guaranteed.
The method and the device determine the credit degree of the device which actively initiates the data request before preparing the data request and responding between the devices. When the credit degree of the device which actively initiates the data request is higher, the device is allowed to be connected with other devices and send the data request. And meanwhile, authentication and authentication are carried out on the equipment which actively initiates the data request in the process of sending the data request. And when the authentication passes, allowing the equipment receiving the data request to respond to the request. Therefore, the whole time delay overhead of data transmission and authentication is saved, and the authentication efficiency is improved.
The technical solutions in the embodiments of the present application will be described in detail below with reference to the drawings in the embodiments of the present application.
As shown in fig. 6, fig. 6 is a flowchart of an authentication method according to an embodiment of the present application. The method can be applied to terminal equipment. The terminal device may include other devices such as the first device, the second device, and the third device, where the other devices such as the first device, the third device, and the like are in the same device family. It should be noted by those skilled in the art that the second device may be a terminal device already in the same device family as the other devices, such as the first device and the third device, or may be a terminal device that is prepared to access the device family including the other devices, such as the first device and the third device, for the first time.
For example, if a device family includes four devices A, B, C, D, then device a is the first device, device B is the second device, and device C and/or device D may be the third device if device B is ready to communicate with device a. For another example, when a device family includes four devices A, B, C, D, a fifth device, i.e., device E, is ready to join the device family and is to communicate with device a, where device a is the first device, device E is the second device, and device B, device C, and/or device D may be the third device.
The method is mainly applied to a device for receiving a data request, namely a first device, and comprises the following steps:
s601, receiving an operation request sent by the second device.
In one embodiment, a first device receives an operation request sent by a second device.
In one example, the second device may be in the same device family as the first device, or may be first prepared to join a device family containing the first device.
S602, the credit degree of the second device is determined.
In one embodiment, a first device determines a credit for a second device.
In one example, the first device may determine the credit rating of the second device based on characteristics of the received operation request, characteristics of the second device, environmental characteristics of the second device, and resource characteristics of the second device.
In one example, the characteristics of the operation request may include: one or more of the security requirement characteristics of the operation request or any other equivalent characteristic information. The security requirement characteristic of the operation request can be used to represent the service security requirement of the operation request received by the first device. For example, the service security requirement related to the received operation request is very high, or the service security requirement related to the received operation request is general, and so on. It is understood that for an operation request with higher security requirement, the credit requirement of the corresponding second device will be higher, and for an operation request with general security requirement, the credit requirement of the corresponding second device will be reduced. In one example, the requirement for credit may be embodied in particular by a credit threshold. Of course, it should be noted by those skilled in the art that the feature of the operation request may also include any other equivalent feature information or any information for characterizing the operation request, and the present application is not limited herein.
In another example, a third device may be included in the family of devices containing the first device, the third device being another device that is less than the distance threshold from the second device. For example, when the distance threshold is 5 meters, the third device is a terminal device in the device family that is within 5 meters of the second device. In one embodiment, the features of the second device may include: one or more of a credit rating of the third device, first historical pairing information of the second device with the first device, second historical pairing information of the second device, or any other equivalent characteristic information. Wherein the third device may be a peripheral device having a connection with the second device. It is to be noted by the person skilled in the art that the connection is not a connection of a third device to a second device forming a family of devices. For example, the first device, the second device, and the third device may be connected through wifi to form a device family, and the second device may also be connected with the third device through bluetooth, infrared, or other manners. Thus, when determining the second device credit, reference may be made to other terminal devices that have a connection with the second device while being in the device family. If the credit rating of the third device is higher, the second device can be laterally quoted to be more credible, so that the credit rating of the second device can be improved; conversely, if the credit rating of the third device is low, it may be possible to cite sideways that the second device may be less trustworthy, and the credit rating of the second device may be reduced. In an example, the first historical pairing information of the second device and the first device is used to indicate the number of times of successful pairing and/or the number of times of failed pairing of the second device and the first device before the connection is established this time. For example, when the device B is ready to perform connection communication with the device a, the first history pairing information indicates the number of times of connection success and/or connection failure between the device a and the device B before the connection is established this time. Of course, when the authentication is successful, the connection can be understood as successful; otherwise, when the authentication fails, the connection fails. It can be understood that, when the first historical pairing information indicates that the number of successful pairing between the second device and the first device is large, the credit degree of the second device can be improved; on the contrary, if the number of times of pairing failure between the second device and the first device is large, the credit of the second device can be reduced. In another example, the second historical pairing information of the second device is used to indicate with which terminal devices the second device has been connected before the connection. For example, the second historical pairing information may describe that the second device has ever connected to all of devices 1 through 100. It can be understood that, when the second historical pairing information indicates that the second device has been connected to a plurality of devices, the credit rating of the second device may be improved, for example, the second device has been successfully connected to 1000 or 10000 devices; conversely, if the second device has only been connected to a few devices, the second device's credit rating may be reduced appropriately, e.g., the second device has only been successfully connected to one or two devices. Of course, it should be noted by those skilled in the art that the feature of the operation request may also include any other equivalent feature information or any information for characterizing the operation request, and the present application is not limited herein.
In one example, the environmental characteristics of the second device may include: one or more of a network environment of the second device, a geographic location of the second device, a time at which the second device sent the operation request, or any other equivalent characteristic information. The network environment of the second device represents the network environment where the second device is currently located, for example, in a public network, the credit degree of the second device is not very high; or the second device is in a home network environment, the credit rating of the second device will increase. Similarly, the geographic location of the second device is used to indicate a specific location where the second device is currently located, for example, in a public place or outdoors, the credit rating of the second device is not very high; or the second device is in a home, a private car, some specific location, such as an office, etc., the second device's credit rating will increase. In yet another example, the time at which the second device sends the operation request indicates in which time period the second device sends the operation request. For example, the second device is usually operated in the daytime, and the time for sending the operation request is in the middle of the night, the credit of the second device is not high; or, the second device is usually operated in daytime, and the time for sending the operation request is in the time period of the second device being used frequently, the credit of the second device will be increased. Of course, it should be noted by those skilled in the art that the feature of the operation request may also include any other equivalent feature information or any information for characterizing the operation request, and the present application is not limited herein.
In one example, the resource characteristics of the second device may include: the number of successful authentication of the second device, the number of failed authentication of the second device, the number of times of authentication exemption of the second device, the time length of authentication exemption of the second device or any other equivalent characteristic information. It will be appreciated that the resource characteristics of the second device are used to describe the essential intrinsic characteristic information of the second device, which does not vary significantly from connection to connection. For example, the number of times the authentication of the second device succeeds, the number of times the authentication of the second device fails, the number of times the second device is not authenticated, the time length of the second device being not authenticated, and the like. Wherein the second device may be determined to be authentication-free when the credit of the second device satisfies the credit threshold. It can be understood that, if the more times the authentication and authentication of the second device are successful, the more times the authentication of the second device is exempted, and the longer the time length of the social security exemption is dropped, the more credible the second device is, the credit of the second device will be increased. The more times the authentication and authorization of the second device fails, the lower the credibility of the second device.
S603, determining whether the credit of the second device is greater than or equal to the credit threshold.
In one embodiment, the first device determines whether the credit is greater than or equal to a credit threshold based on the credit of the second device determined in S602. In one example, the credit threshold may be preset.
In another example, S604 is performed if the credit of the second device is greater than or equal to the credit threshold, otherwise S605 is performed.
S604, when the credit of the second equipment is greater than or equal to the credit threshold, executing an operation request; and authenticating the second device in the course of executing the operation request.
In one embodiment, when the first device determines that the credit of the second device is greater than or equal to the credit threshold, then the first device executes the received operation request. And simultaneously carrying out authentication operation on the second equipment in the process of executing the operation request.
In one example, when the first device determines that the credit of the second device is greater than or equal to the credit threshold, it may determine that the second device is relatively trusted, and the first device allows the second device to connect with itself and perform the operation request. Wherein the request to perform the operation may be to receive a data request sent by the second device. For example, after the first device determines that the credit of the second device is greater than or equal to the credit threshold, the first device establishes a connection with the second device and receives a data request sent by the second device. When the first device receives the data request sent by the second device, the first device also performs authentication and authorization on the second device at the same time to ensure that the second device is authentic. And if the authentication and the authentication of the second equipment are successful, the first equipment sends the received data request to an upper layer for subsequent processing. And if the authentication and the authentication of the second equipment are failed, the first equipment discards the received data request sent by the second equipment and immediately interrupts the connection with the second equipment, thereby ensuring the safety of the operation. S606 is executed after the first device authenticates the second device.
And S605, when the credit degree of the second equipment is less than the threshold value of the credit degree, authenticating the second equipment.
In one embodiment, when the first device determines that the credit of the second device is less than the credit threshold, then the first device authenticates the second device directly.
In one example, when the first device determines that the credit of the second device is less than the credit threshold, it may determine that the second device is relatively untrusted, and the first device does not allow the second device to connect with itself and performs authentication of the second device. And when the authentication and the verification of the second equipment are successful, the first equipment is connected with the second equipment again, and the operation request sent by the second equipment is executed. And when the authentication and authorization of the second equipment fails, the first equipment stops executing the operation request sent by the second equipment. S606 is executed after the first device authenticates the second device.
S606, according to the authentication result of the second device, the credit degree of the second device is updated.
In one embodiment, the first device updates the credit rating of the second device according to the authentication result of the second device. In one example, when the authentication and authentication result of the second device is successful (or "pass"), the credit degree of the second device is increased; on the contrary, when the authentication result of the second device is failure (or "fail"), the credit of the second device is reduced.
Of course, in another example, the credit rating of the second device may also be gradually decreased over time.
Fig. 7 is a flowchart of another authentication method according to an embodiment of the present application.
Figure 7 shows a more detailed flow for the second device after the credit is compared to the credit threshold. S602, S603, S604, and S605 in fig. 7 are the same as corresponding steps in fig. 6, and are not repeated herein for convenience of description. The method may further include the following steps after S604:
s701, whether the authentication of the second equipment is successful is determined.
In one embodiment, the first device determines that the authentication of the second device is successful. If the authentication is successful, S702 is executed, otherwise S703 is executed.
And S702, updating the credit rating of the second equipment.
In one example, when the authentication and the verification of the second equipment are successful, the credit degree of the second equipment is increased; and when the authentication and the certification of the second equipment fail, the credit degree of the second equipment is reduced.
S703, the operation request is terminated.
In one embodiment, after the authentication failure of the second device, the operation request executed in S604 is terminated immediately, and S702 is executed after S706, in order to guarantee the security of the data.
The method shown in fig. 7 may further include the following steps after S605:
s704, determining whether the authentication of the second device is successful.
In one embodiment, the first device determines that the authentication of the second device is successful. If the authentication is successful, S705 is executed, otherwise S702 is executed.
S705, the operation request is executed.
In one embodiment, after the credit of the second device is less than the credit threshold, the first device determines that the second device is not trusted, and thus does not execute the operation request sent by the second device. Therefore, in S704, after the first device determines that the authentication of the second device is successful, the operation request sent by the second device needs to be executed, and a corresponding service is executed. During or after the execution of the operation request is completed, S702 is executed.
Through the methods shown in fig. 6 and fig. 7, the authentication and authorization of the present application can be effectively shortened to 0 to y times, and meanwhile, no authentication is performed because the authentication and authorization times are reduced, thereby ensuring the security of the service corresponding to the operation request. Therefore, the authentication process can be as shown in fig. 8, and it can be seen in fig. 8 that the number of authentication is shortened to 0 to y. That is, when the credit degree of the second device is greater than or equal to the credit degree threshold, the second device is considered to be authentic, so the authentication process and the data request process are performed simultaneously, and therefore, the time delay overhead occupied by the authentication does not exist any more. And when the credit degree of the second equipment is smaller than the credit degree threshold value, the authentication of the second equipment is still performed for y times, and the safety of the service corresponding to the data request is guaranteed.
Fig. 9 is a schematic flowchart of an authentication framework according to an embodiment of the present application.
As shown in fig. 9, an overall framework for authentication and authorization is shown. The frame includes a Policy Enforcement Point (PEP), a Policy Definition Point (PDP), a decision management point (PAP), a Policy Information Point (PIP), and a credit unit.
Before receiving the service access request, the user may manually select, through the PAP, whether to de-authenticate the device sending the service access request, for example, a decision made by the user may be received through a user experience (UX) interface. The user can choose to be authenticated or not to be authenticated at this time, or automatically judge whether authentication is needed according to the credit rating. When the user selects to have authentication or exempt authentication, the terminal equipment will have to execute authentication or exempt authentication after receiving the service access request. And when the user selects to automatically judge whether the authentication is needed according to the credit rating, the terminal equipment determines the authentication mode according to the credit rating of the terminal equipment sending the service access request after receiving the service access request.
After receiving the service access request, the PEP forwards the request to the credit degree unit. The credit unit sends a request notification to the PDP so that the PDP determines the authentication method of the request. The PDP, after receiving the request notification, sends a credit request to the credit unit in order to let the credit unit inform the credit of the terminal device that sent the request. The credit unit will start collecting information of subject, object, environment, etc. after receiving the credit request sent by the PDP. The subject represents a terminal device that sends the service access request, and the object represents a terminal device that receives the service access request. The credit unit then sends a characteristic request to the PIP to obtain the subject characteristic, the object characteristic, and the environmental characteristic upon receiving the credit request. The PIP acquires the characteristics of the main body, such as safety requirement characteristics and the like, from the main body after receiving the characteristic request sent by the credit degree unit; acquiring characteristics of the object from the object, such as the reliability of the peripheral equipment, first historical pairing information, second historical pairing information and the like; and environmental characteristics obtained from the environment, such as network environment confidence, geographic location confidence, time confidence, and the like. The PIP feeds back the characteristic information as a response to the credit unit after acquiring the above characteristic. The credit degree unit also directly obtains object resource content from the object, such as information of successful/failed authentication times, successful authentication-free times, successful authentication time and the like. Then, the credit unit calculates the credit for the terminal device that sent the service access request in conjunction with the collected information, and inputs the credit to the PDP.
And after receiving the credit degree sent by the credit degree unit, the PDP compares the credit degree with a preset credit degree threshold value, determines the current authentication operation mode and sends the operation mode to the credit degree unit. The credit unit sends the received operation mode as a response to the PEP, so that the PEP performs an authentication operation according to the operation mode.
It will be appreciated that the PEP is primarily used to process the cookie and to decide to perform the corresponding authentication operation; the credit degree unit is mainly used for collecting information of a subject, an object and an environment, calculating and outputting the credit degree of the terminal equipment, and simultaneously recording the effective time of the credit degree; the PDP is mainly used for determining whether to authenticate after elasticity according to the credit degree of the terminal equipment, namely, firstly connecting and then authenticating authentication, and simultaneously, the function mapping relation between the credit degree and the authentication operation is also stored; PAP is mainly used to decide the current authentication mode according to the user, and may choose to avoid authentication for high-security services, or may choose to perform authentication first and generate an authentication token (token) for very cautious users.
Fig. 10 is a schematic diagram of a network topology according to an embodiment of the present application.
In the network topology diagram shown in fig. 10, a case is described in which a new device X is ready to join a device family. In one example, the family of devices contains A, B, C, D four devices, at which time device X wants to join the family of devices and is ready to connect to device A. At which point device a obtains the corresponding information from device B, C, D and determines the credit for device X. Meanwhile, the credit degree of the equipment X is updated and perfected according to whether any other information about the equipment X such as connection with the equipment X exists. Device a may then broadcast the credits for device X to other devices in the device family, such as device B, C, D. The other devices dynamically update the credit for the device X based on the device information of the device X and the surrounding environment information. So that when device X connects with any of device devices B, C, D, the credit rating of device X can be judged and the authentication mode can be determined according to the distributed credit rating calculation platform in device B, C, D. The implementation manner of the distributed credit calculation platform may be as shown in fig. 6 to fig. 9, and for convenience of description, details are not described here.
Fig. 11 is a flowchart of another authentication and authorization provided in the embodiment of the present application.
Fig. 11 shows a flow of the new device X shown in fig. 10 after joining the device family, where the method includes the following steps:
s1101, device X accesses the device family.
S1102, updating the credit rating of the device X according to the information and connection status of the device X. Wherein the credit of device X may gradually decay over time.
S1103, broadcasting the credit of the device X to other terminal devices.
And S1104, other terminal equipment updates the credit rating of the equipment X according to the distributed credit rating calculation platform. And simultaneously, the new credit degree can be shared to each terminal device in the device family. Meanwhile, each terminal device can dynamically update the credit rating of the device X on its own credit rating calculation platform.
The manner shown in fig. 11 may specifically refer to that described in fig. 10, and for convenience of description, the details are not repeated here.
It should be noted by those skilled in the art that the update of the credit is not only for the newly added device, but also for any terminal device existing in the device family, and the application is not limited herein.
Fig. 12 is a schematic diagram of an authentication device according to an embodiment of the present application.
Fig. 12 provides a terminal device 1200, and the terminal device 1200 may include a first device and a second device connected in a device family. The device 1200 may include a processor 1201, a memory 1202, a communication interface 1203, and a bus 1204. The processor 1201, the memory 1202, and the communication interface 1203 in the terminal apparatus may establish communication connection through a bus 1204. The communication interface 1203 is used for transmitting and receiving external information.
The processor 1201 may be a Central Processing Unit (CPU).
A communication interface 1203, configured to receive an operation request sent by the second device. A processor 1201 for reading and executing instructions in the memory 1202; executing the instructions when executed by the processor 1201 causes the processor 1201 to further: determining a credit rating of the second device; when the credit of the second device is greater than or equal to the credit threshold, executing the operation request; and authenticating the second device in the process of executing the operation request; and updating the credit rating of the second equipment according to the authentication result of the second equipment.
In one possible implementation, the processor 1201 is further configured to: when the credit degree of the second equipment is smaller than the credit degree threshold value, authenticating the second equipment; and updating the credit rating of the second equipment according to the authentication result of the second equipment.
In one possible implementation, the processor 1201 is further configured to: when the authentication result of the second equipment is passed, executing the operation request; the credit rating of the second device increases.
In one possible implementation, the processor 1201 is further configured to: when the authentication result of the second equipment is failed, stopping executing the operation request; the credit rating of the second device decreases.
In one possible implementation, the processor 1201 is further configured to: and determining the credit degree according to the characteristics of the operation request, the characteristics of the second device, the environmental characteristics of the second device and the resource characteristics of the second device.
In one possible embodiment, the characteristics of the operation request include: security requirement characteristics of the operation request.
In one possible embodiment, the terminal device 1200 further includes a third device, where the third device is connected to the first device and the second device in a device family, and the third device is another terminal device that is less than the distance threshold from the second device; the features of the second device include: one or more of a credit rating of the third device, first historical pairing information of the second device with the first device, and second historical pairing information of the second device.
In one possible embodiment, the environmental characteristics of the second device include: one or more of a network environment of the second device, a geographic location of the second device, a time at which the second device sends the operation request.
In one possible embodiment, the resource characteristics of the second device include: the number of successful authentication of the second device, the number of failed authentication of the second device, the number of authentication exemption of the second device, and the time length of authentication exemption of the second device.
The application discloses an application display continuing method and device, which can be applied to a scene that equipment authenticates services in an equipment family. In the scene of equipment family authentication, each equipment can generate corresponding credit degree according to corresponding information, and an authentication operation mode is determined according to the credit degree. For the equipment with higher credit degree, the service connection can be executed firstly, and then the authentication is carried out; and for equipment with lower credit degree, authentication is needed before service connection. Therefore, the service authentication efficiency can be effectively improved, the authentication time is elastically shortened, and the time required by authentication is minimized, so that the authentication efficiency is improved. Meanwhile, connection can be established quickly, extremely simple communication is achieved, and safety of data transmission is guaranteed.
It will be further appreciated by those of ordinary skill in the art that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be understood by those skilled in the art that all or part of the steps in the method for implementing the above embodiments may be implemented by a program, and the program may be stored in a computer-readable storage medium, where the storage medium is a non-transitory medium, such as a random access memory, a read only memory, a flash memory, a hard disk, a solid state disk, a magnetic tape (magnetic tape), a floppy disk (floppy disk), an optical disk (optical disk), and any combination thereof.
The above description is only for the preferred embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (20)
1. An authentication method applied to a first device connected with a second device in a device family, the method comprising:
receiving an operation request sent by the second equipment;
determining a credit rating of the second device;
when the credit of the second device is greater than or equal to a credit threshold, executing the operation request; and authenticating the second device in the process of executing the operation request;
and updating the credit rating of the second equipment according to the authentication result of the second equipment.
2. The method of claim 1, wherein the method further comprises:
when the credit degree of the second equipment is smaller than a credit degree threshold value, authenticating the second equipment;
and updating the credit rating of the second equipment according to the authentication result of the second equipment.
3. The method of claim 2, wherein the updating the credit of the second device based on the authentication result of the second device comprises:
when the authentication result of the second equipment is passed, executing the operation request;
the credit of the second device increases.
4. The method of any of claims 1-3, wherein said updating the credit rating of the second device based on the authentication result of the second device comprises:
when the authentication result of the second equipment is failed, stopping executing the operation request;
the credit of the second device decreases.
5. The method of any of claims 1-4, wherein the credit is determined based on characteristics of the operation request, characteristics of the second device, environmental characteristics of the second device, and resource characteristics of the second device.
6. The method of claim 5, wherein the characteristics of the operation request comprise: a security requirement characteristic of the operation request.
7. The method of claim 5, further comprising a third device in the family of devices, the third device being another device that is less than a distance threshold from the second device;
the features of the second device include: one or more of a credit rating of the third device, first historical pairing information of the second device with the first device, and second historical pairing information of the second device.
8. The method of claim 5, wherein the environmental characteristics of the second device comprise: one or more of a network environment of the second device, a geographic location of the second device, a time at which the second device sent the operation request.
9. The method of claim 5, wherein the resource characteristics of the second device comprise: the number of successful authentication of the second device, the number of failed authentication of the second device, the number of authentication exemption times of the second device, and the time length of authentication exemption of the second device.
10. An authentication and certification device, the device being applied to a terminal device, the terminal device including a first device and a second device, the first device and the second device being connected in a device family, the device comprising: a receiver, a processor, and a memory, wherein the processor is coupled with the memory;
the receiver is used for receiving an operation request sent by the second equipment;
the processor is used for reading and executing the instructions in the memory;
executing the instructions when executed by the processor, causing the processor to further: determining a credit rating of the second device;
when the credit of the second device is greater than or equal to a credit threshold, executing the operation request; and authenticating the second device in the process of executing the operation request;
and updating the credit rating of the second equipment according to the authentication result of the second equipment.
11. The apparatus of claim 10, wherein the processor is further configured to:
when the credit degree of the second equipment is smaller than a credit degree threshold value, authenticating the second equipment;
and updating the credit rating of the second equipment according to the authentication result of the second equipment.
12. The apparatus of claim 11, wherein the processor is further configured to:
when the authentication result of the second equipment is passed, executing the operation request;
the credit of the second device increases.
13. The apparatus of any of claims 10-12, wherein the processor is further configured to:
when the authentication result of the second equipment is failed, stopping executing the operation request;
the credit of the second device decreases.
14. The apparatus of any of claims 10-13, wherein the processor is further configured to: determining the credit degree according to the characteristics of the operation request, the characteristics of the second device, the environmental characteristics of the second device and the resource characteristics of the second device.
15. The apparatus of claim 14, wherein the characteristics of the operation request comprise: a security requirement characteristic of the operation request.
16. The apparatus of claim 14, wherein the terminal device further comprises a third device connected in a family of devices with the first device and the second device, the third device being another terminal device that is less than a distance threshold from the second device;
the features of the second device include: one or more of a credit rating of the third device, first historical pairing information of the second device with the first device, and second historical pairing information of the second device.
17. The apparatus of claim 14, wherein the environmental characteristics of the second device comprise: one or more of a network environment of the second device, a geographic location of the second device, a time at which the second device sent the operation request.
18. The apparatus of claim 14, wherein the resource characteristics of the second device comprise: the number of successful authentication of the second device, the number of failed authentication of the second device, the number of authentication exemption times of the second device, and the time length of authentication exemption of the second device.
19. A computer-readable storage medium having instructions stored thereon, which, when run on a terminal, cause the terminal to perform the method of any one of claims 1-9.
20. A computer program device comprising instructions which, when run on a terminal, cause the terminal to perform the method of any one of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911367427.4A CN111147256B (en) | 2019-12-26 | 2019-12-26 | Authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911367427.4A CN111147256B (en) | 2019-12-26 | 2019-12-26 | Authentication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111147256A true CN111147256A (en) | 2020-05-12 |
| CN111147256B CN111147256B (en) | 2021-07-09 |
Family
ID=70520615
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911367427.4A Active CN111147256B (en) | 2019-12-26 | 2019-12-26 | Authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111147256B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112906029A (en) * | 2021-03-08 | 2021-06-04 | 国家工业信息安全发展研究中心 | Method and system for controlling user authority through identification analysis |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101222331A (en) * | 2007-01-09 | 2008-07-16 | 华为技术有限公司 | Authentication server, method and system for bidirectional authentication in mesh network |
| US8880868B1 (en) * | 2012-06-15 | 2014-11-04 | Rockwell Collins, Inc. | Secure deterministic fabric for safe and secure product design |
| CN104980403A (en) * | 2014-04-10 | 2015-10-14 | 腾讯科技(深圳)有限公司 | Method and device for processing business request |
| CN108683690A (en) * | 2018-08-27 | 2018-10-19 | 创新维度科技(北京)有限公司 | Method for authenticating, user equipment, authentication device, authentication server and storage medium |
| CN109379487A (en) * | 2018-09-27 | 2019-02-22 | 西安易朴通讯技术有限公司 | Electronic equipment and its control method |
| CN109413201A (en) * | 2018-11-27 | 2019-03-01 | 东软集团股份有限公司 | SSL traffic method, apparatus and storage medium |
| CN109993004A (en) * | 2019-04-10 | 2019-07-09 | 广州蚁比特区块链科技有限公司 | Block chain autonomy method and system based on credit mechanism |
-
2019
- 2019-12-26 CN CN201911367427.4A patent/CN111147256B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101222331A (en) * | 2007-01-09 | 2008-07-16 | 华为技术有限公司 | Authentication server, method and system for bidirectional authentication in mesh network |
| US8880868B1 (en) * | 2012-06-15 | 2014-11-04 | Rockwell Collins, Inc. | Secure deterministic fabric for safe and secure product design |
| CN104980403A (en) * | 2014-04-10 | 2015-10-14 | 腾讯科技(深圳)有限公司 | Method and device for processing business request |
| CN108683690A (en) * | 2018-08-27 | 2018-10-19 | 创新维度科技(北京)有限公司 | Method for authenticating, user equipment, authentication device, authentication server and storage medium |
| CN109379487A (en) * | 2018-09-27 | 2019-02-22 | 西安易朴通讯技术有限公司 | Electronic equipment and its control method |
| CN109413201A (en) * | 2018-11-27 | 2019-03-01 | 东软集团股份有限公司 | SSL traffic method, apparatus and storage medium |
| CN109993004A (en) * | 2019-04-10 | 2019-07-09 | 广州蚁比特区块链科技有限公司 | Block chain autonomy method and system based on credit mechanism |
Non-Patent Citations (2)
| Title |
|---|
| MUHAMMAD SHAHZAD: "《Behavior Based Human Authentication on Touch》", 《IEEE》 * |
| 宋文斌: "《基于区块链的物联网身份认证系统》", 《中国优秀硕士学位论文全文数据库》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112906029A (en) * | 2021-03-08 | 2021-06-04 | 国家工业信息安全发展研究中心 | Method and system for controlling user authority through identification analysis |
| CN112906029B (en) * | 2021-03-08 | 2021-09-07 | 国家工业信息安全发展研究中心 | Method and system for controlling user authority through identification analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111147256B (en) | 2021-07-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110324287B (en) | Access authentication method, device and server | |
| US20160205087A1 (en) | Managing sharing of wireless network login passwords | |
| KR101361161B1 (en) | System and method for reinforcing authentication using context information for mobile cloud | |
| US8079064B2 (en) | Service verifying system, authentication requesting terminal, service utilizing terminal, and service providing method | |
| CN107528733B (en) | Management method of Internet of things and Internet of things system | |
| CN111865598A (en) | Identity verification method and related device for network function service | |
| CN108833122A (en) | Awakening method, device and the storage medium of vehicle-carrying communication controller | |
| US10542433B2 (en) | Connection establishment method, device, and system | |
| US9253160B2 (en) | Methods, systems, and media for secure connection management and automatic compression over metered data connections | |
| US8910261B2 (en) | Radius policy multiple authenticator support | |
| CN111095862B (en) | Method, system, and medium for modifying firewall based on dynamic IP address | |
| CN105635084A (en) | Apparatus and method for authenticating terminal | |
| JP2013505497A (en) | Method and apparatus for verification of identification information | |
| US20100030346A1 (en) | Control system and control method for controlling controllable device such as peripheral device, and computer program for control | |
| CN106559213B (en) | Equipment management method, equipment and system | |
| CN107248995B (en) | Account verification method and device | |
| CN113411286B (en) | Access processing method and device based on 5G technology, electronic equipment and storage medium | |
| CN111371817A (en) | Equipment control system, method and device, electronic equipment and storage medium | |
| EP4106357A1 (en) | Method for logging into on-board computer system and related device | |
| CN111147256B (en) | Authentication method and device | |
| CN114513829A (en) | Network access method, device, core network, server and terminal | |
| CN108966218A (en) | A kind of wireless network access method and system based on management terminal control | |
| CN112217910B (en) | Video service access method, device, network equipment and storage medium | |
| KR20150053422A (en) | Certification telephone number management server and method for managing certification telephone number, and electronic business server and method for certificating electronic business | |
| CN109474626B (en) | Network authentication method and device based on SNS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210429 Address after: Unit 3401, unit a, building 6, Shenye Zhongcheng, No. 8089, Hongli West Road, Donghai community, Xiangmihu street, Futian District, Shenzhen, Guangdong 518040 Applicant after: Honor Device Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Applicant before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |