CN111835755B - Mutual authentication method and equipment for Internet of things equipment and Internet of things service system - Google Patents

Mutual authentication method and equipment for Internet of things equipment and Internet of things service system Download PDF

Info

Publication number
CN111835755B
CN111835755B CN202010659244.6A CN202010659244A CN111835755B CN 111835755 B CN111835755 B CN 111835755B CN 202010659244 A CN202010659244 A CN 202010659244A CN 111835755 B CN111835755 B CN 111835755B
Authority
CN
China
Prior art keywords
internet
fusion
things
identifier
service system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010659244.6A
Other languages
Chinese (zh)
Other versions
CN111835755A (en
Inventor
加雄伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202010659244.6A priority Critical patent/CN111835755B/en
Publication of CN111835755A publication Critical patent/CN111835755A/en
Application granted granted Critical
Publication of CN111835755B publication Critical patent/CN111835755B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Abstract

The invention provides a mutual authentication method of an Internet of things device and an Internet of things service system and equipment thereof, belongs to the technical field of Internet of things systems, and can at least partially solve the problems that the existing mutual authentication method between the Internet of things device and the Internet of things service system is low in efficiency and is difficult to adapt to authentication of massive Internet of things resources. The invention discloses a mutual authentication method of Internet of things equipment and an Internet of things service system, which comprises the following steps: sending a first fusion identifier in the fusion authentication service system to the Internet of things equipment, and sending a second fusion identifier in the fusion authentication service system to the Internet of things service system, wherein the first fusion identifier comprises an identifier or an identifier document corresponding to the Internet of things service system, and the second fusion identifier comprises an identifier or an identifier document corresponding to the Internet of things equipment; and judging whether the identifications of the Internet of things equipment and the Internet of things service system correspond or not according to the first fusion identification and the second fusion identification.

Description

Mutual authentication method and equipment for Internet of things equipment and Internet of things service system
Technical Field
The invention belongs to the technical field of an Internet of things system, and particularly relates to a mutual authentication method and mutual authentication equipment for Internet of things equipment and an Internet of things service system.
Background
With the continuous expansion of the resources of the internet of things, the difficulty of mutual authentication between the internet of things equipment and the business system of the internet of things is increased continuously.
The existing solutions are to separate the identification analysis and identity authentication of the resources of the internet of things (internet of things equipment and a service system of the internet of things) and to mutually independent. The mutually separated and independent methods have low efficiency, and are difficult to provide effective and safe identification analysis and identity authentication services for the Internet of things equipment on the premise of massive Internet of things resources.
Disclosure of Invention
The invention at least partially solves the problems that the existing mutual authentication method between the Internet of things equipment and the Internet of things service system is low in efficiency and is difficult to adapt to authentication of massive Internet of things resources, and provides the mutual authentication method for the Internet of things equipment and the Internet of things service system, which is high in efficiency and suitable for massive Internet of things resources.
The technical scheme adopted for solving the technical problem of the invention is a mutual authentication method of Internet of things equipment and an Internet of things service system, which comprises the following steps:
sending a first fusion identifier in a fusion authentication service system to the internet of things equipment, and sending a second fusion identifier in the fusion authentication service system to the internet of things service system, wherein the first fusion identifier comprises an identifier or an identifier document corresponding to the internet of things service system, and the second fusion identifier comprises an identifier or an identifier document corresponding to the internet of things equipment;
and judging whether the identifications of the Internet of things equipment and the Internet of things service system correspond to each other according to the first fusion identification and the second fusion identification so as to realize identification analysis and identity authentication between the Internet of things equipment and the Internet of things service system.
Further preferably, before sending the first fusion identifier in the fusion authentication service system to the internet of things device and sending the second fusion identifier in the fusion authentication service system to the business system of the internet of things, the method further includes: sending the first and second converged identifiers from a decentralized storage system or from a decentralized storage system and a cloud storage system to the converged authentication service system; and verifying the first fusion identifier and the second fusion identifier, and if the verification is successful, sending the first fusion identifier in the fusion authentication service system to the Internet of things equipment and sending the second fusion identifier in the fusion authentication service system to the Internet of things service system.
Further preferably, before sending the first converged identifier and the second converged identifier from the decentralized storage system or from the decentralized storage system and the cloud storage system to the converged authentication service system, the method further includes: generating the first fusion identifier according to the attribute of the service system of the internet of things, and generating the second fusion identifier according to the attribute of the equipment of the internet of things; and sending the first fusion identifier and the second fusion identifier to the decentralized storage system, or sending the first fusion identifier and the second fusion identifier to the decentralized storage system and the cloud storage system.
Further preferably, the generating the first fusion identifier according to the attribute of the service system of the internet of things, and the generating the second fusion identifier according to the attribute of the device of the internet of things include: generating the first fusion identifier and a first key according to the attribute of the service system of the internet of things, and generating the second fusion identifier and a second key according to the attribute of the equipment of the internet of things; writing first identity authentication information into the first fusion identifier according to the first key, applying for signature to the corresponding operator identifier authentication system according to the first key, writing second identity authentication information into the second fusion identifier according to the second key, and applying for signature to the corresponding operator identifier authentication system according to the second key.
Further preferably, the generating the second fusion identifier according to the property of the internet of things device includes: and acquiring the second fusion identifier through an internet of things gateway corresponding to the internet of things equipment, wherein the internet of things equipment is limited in capability.
Further preferably, before sending the first fusion identifier in the fusion authentication service system to the internet of things device and sending the second fusion identifier in the fusion authentication service system to the business system of the internet of things, the method further includes: if the first fusion identification is changed into a third fusion identification, the second fusion identification is changed into a fourth fusion identification, the third fusion identification and the fourth fusion identification are verified, if the verification is successful, the third fusion identification in the fusion authentication service system is sent to the Internet of things equipment, the fourth fusion identification in the fusion authentication service system is sent to the Internet of things service system, and identification analysis and identity authentication between the Internet of things equipment and the Internet of things service system are achieved according to the third fusion identification and the fourth fusion identification.
The technical scheme adopted for solving the technical problem of the invention is mutual authentication equipment of Internet of things equipment and an Internet of things service system, which comprises the following steps:
the system comprises a first sending unit and a second sending unit, wherein the first sending unit is used for sending a first fusion identifier in a fusion authentication service system to the Internet of things equipment and sending a second fusion identifier in the fusion authentication service system to the Internet of things service system, the first fusion identifier comprises an identifier or an identifier document corresponding to the Internet of things service system, and the second fusion identifier comprises an identifier or an identifier document corresponding to the Internet of things equipment;
and the first judgment unit is used for judging whether the identifications of the Internet of things equipment and the Internet of things service system correspond or not according to the first fusion identification and the second fusion identification so as to realize identification analysis and identity authentication between the Internet of things equipment and the Internet of things service system.
Further preferably, the apparatus further comprises: a second sending unit, configured to send the first fusion identifier and the second fusion identifier from a decentralized storage system or from a decentralized storage system cloud storage system to the fusion authentication service system; and the verification unit is used for verifying the first fusion identifier and the second information.
Further preferably, the apparatus further comprises: the first generating unit is used for generating the first fusion identifier according to the attribute of the service system of the internet of things and generating the second fusion identifier according to the attribute of the equipment of the internet of things; a third sending unit, configured to send the first fusion identifier and the second fusion identifier to the decentralized storage system or a cloud storage system of the decentralized storage system.
Further preferably, the apparatus further comprises: the second generation unit is used for generating the first fusion identifier and the first key according to the attribute of the service system of the internet of things and generating the second fusion identifier and the second key according to the attribute of the equipment of the internet of things; and the signature applying unit applies for signature to the first fusion identifier according to the first key and applies for signature to the second fusion identifier according to the second key and the corresponding operator identifier authentication system.
In the mutual authentication method of the internet of things equipment and the internet of things service system in the embodiment, mutual authentication of the internet of things equipment and the internet of things service system is realized by fusing the authentication service system, so that mutual authentication of the internet of things equipment and the internet of things service system can be improved, and the mutual authentication method can be suitable for mutual authentication of the internet of things equipment and the internet of things service system with massive internet of things resources.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
fig. 1 is a schematic flow chart of a mutual authentication method between an internet of things device and an internet of things service system according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a mutual authentication method between an internet of things device and an internet of things service system according to an embodiment of the present invention;
fig. 3 is a schematic block diagram of components of an internet of things device and a mutual authentication device of an internet of things service system according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a mutual authentication method between an internet of things device and an internet of things service system according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a mutual authentication method for an internet of things device and an internet of things service system according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
The invention will be described in more detail below with reference to the accompanying drawings. Like elements in the various figures are denoted by like reference numerals. For purposes of clarity, the various features in the drawings are not necessarily drawn to scale. Moreover, certain well-known elements may not be shown in the figures.
In the following description, numerous specific details of the invention, such as structure, materials, dimensions, processing techniques and techniques of components, are set forth in order to provide a more thorough understanding of the invention. However, as will be understood by those skilled in the art, the present invention may be practiced without these specific details.
Example 1:
as shown in fig. 1, the present embodiment provides a mutual authentication method for an internet of things device and an internet of things service system, including:
s11, sending a first fusion identifier in the fusion authentication service system to the Internet of things equipment, and sending a second fusion identifier in the fusion authentication service system to the Internet of things service system, wherein the first fusion identifier comprises an identifier or an identifier document corresponding to the Internet of things service system, and the second fusion identifier comprises an identifier or an identifier document corresponding to the Internet of things equipment.
It should be noted that the internet of things device is also suitable for common devices. According to the network and calculation capabilities and the like, the Internet of things equipment can be divided into full-function Internet of things equipment and capacity-limited Internet of things equipment. The capacity-limited Internet of things equipment is connected to the fusion authentication service system through the Internet of things gateway. There may be a plurality of internet of things devices.
The service system of the internet of things is also called as the service of the internet of things and is also suitable for common services. There may be a plurality of service systems of the internet of things.
The fusion identifier refers to identifiers of the service system of the internet of things and the equipment of the internet of things, and comprises an identifier or an identifier document. The fusion identifier and the service (or the equipment) of the internet of things are in one-to-one relationship. And uniquely determining an Internet of things service or Internet of things equipment through a fusion identifier.
The converged authentication service system is a system for providing converged authentication service. The fusion authentication service system is cooperated with the identification authentication system, the decentralized storage system and the cloud storage system to provide identification analysis and identity authentication services for the services and the equipment of the Internet of things. The fusion authentication service is a fusion service integrating two service capabilities of identification analysis and identity authentication, and service objects are Internet of things equipment and Internet of things services. Whereas conventional identity resolution services are separate from authentication services and are typically provided by different systems.
When the internet of things devices, the internet of things service systems and the internet of things devices access each other, the two cooperating parties respectively obtain the fusion identification (including the identification and the identification document) of the other party through the fusion authentication service system. The fusion authentication service system can respectively obtain the identification from the corresponding decentralized storage system through the agent module of the fusion authentication service system, and obtain the identification document from the cloud storage system. If the identification and the identification document are both stored in the decentralized storage system, the fusion authentication service system directly obtains the corresponding identification or the identification document from the corresponding decentralized storage system.
An internet of things service system or an internet of things service may have more than two identifiers and one identifier document. When there are one or more identifiers, at least one identifier is stored in the identification document. The identification and related systems need to be stored in the decentralized storage system, and the identification document can be stored in the decentralized system or the cloud storage system. When the identification and the identification document are stored separately, the associated information is needed, and the corresponding identification document is found according to the identification stored in the decentralized storage system.
S12, judging whether the identifications of the Internet of things equipment and the Internet of things service system correspond to each other according to the first fusion identification and the second fusion identification, so that identification analysis and identity authentication between the Internet of things equipment and the Internet of things service system are achieved.
After the internet of things service system and the internet of things equipment take the fusion identifier of the other party, the identity of the other party can be directly analyzed and verified by analyzing and verifying the information in the identifier document of the fusion identifier. In the identity analysis and identity authentication processes, the system can interact with the fusion authentication service system to obtain support service. For example, if necessary, the identity authentication system and the signature identity may be authenticated via the converged authentication service system in cooperation with the corresponding identity authentication system.
In the mutual authentication method of the internet of things equipment and the internet of things service system in the embodiment, mutual authentication of the internet of things equipment and the internet of things service system is realized by fusing the authentication service system, so that mutual authentication of the internet of things equipment and the internet of things service system can be improved, and the mutual authentication method can be suitable for mutual authentication of the internet of things equipment and the internet of things service system with massive internet of things resources.
Example 2:
as shown in fig. 1 to fig. 3, the present embodiment provides a mutual authentication method for an internet of things device and an internet of things service system, including:
and S21, generating a first fusion identifier according to the attribute of the service system of the Internet of things, and generating a second fusion identifier according to the attribute of the equipment of the Internet of things.
The first fusion mark and the second fusion mark may be collectively referred to as a fusion mark below.
Wherein, thing networking equipment also is applicable to ordinary equipment. According to the network and calculation capabilities and the like, the Internet of things equipment can be divided into full-function Internet of things equipment and capacity-limited Internet of things equipment. And the capacity-limited Internet of things equipment is connected to the fusion authentication service system through the Internet of things gateway. There may be a plurality of internet of things devices.
The service system of the internet of things is also called as the service of the internet of things and is also suitable for common services. There may be a plurality of service systems of the internet of things.
The fusion identifier refers to identifiers of the service system of the internet of things and the equipment of the internet of things, and comprises an identifier or an identifier document. The fusion identifier and the service (or the equipment) of the internet of things are in one-to-one relationship. And uniquely determining an Internet of things service or Internet of things equipment through a fusion identifier.
Specifically, the generating a first fusion identifier according to the attribute of the service system of the internet of things, and the generating a second fusion identifier according to the attribute of the device of the internet of things includes:
s211, generating a first fusion identifier and a first key according to the attribute of the service system of the Internet of things, and generating a second fusion identifier and a second key according to the attribute of the equipment of the Internet of things.
S212, writing first identity authentication information into the first fusion identifier according to the first key, applying for signature to the corresponding operator identifier authentication system according to the first key, writing second identity authentication information into the second fusion identifier according to the second key, and applying for signature to the corresponding operator identifier authentication system according to the second key.
The first fusion identifier and the second fusion identifier respectively comprise respective identifiers or identifier documents. The first fusion identifier and the second fusion identifier further include respective public keys and private keys. The traditional identification analysis and the identity authentication are separated, when the traditional identification analysis and the identity authentication are combined, the information of the traditional identification analysis and the identity authentication is written into the fusion identification, and the information is signed by an identification owner and a corresponding operator identification authentication system
There are generally two methods for the internet of things device and the internet of things service system to obtain the fusion identifier. One is that the internet of things equipment and the internet of things service system generate a fusion identifier and a corresponding public and private key pair by themselves, and then apply for signatures to the identifier authentication systems of respective operators. And the other is that the operator generates, signs and fuses the identifiers for the service systems of the respective internet of things or the devices of the internet of things through the identifier authentication system.
After the fusion mark is signed by the mark authentication system, the fusion mark is added with the information of the mark authentication system (or an operator) and also comprises the identity authentication information of the operator to the fusion mark applicant. The former is used for identity authentication of a signer, and the latter is used for identity resolution and identity authentication of an identity owner.
The operator refers to an operator providing resources of the internet of things. There may be multiple operators. The operation system refers to a system for providing services to resources of the internet of things by an operator. There may be a variety of operating systems.
The identification authentication system is used for signing the fusion identification of the Internet of things service and the Internet of things equipment. The fusion identifier signed by the identifier authentication system can be regarded as a credible fusion identifier. The identity authentication system is provided by a trusted operator. The operator signs the fusion identification of the own Internet of things equipment and the Internet of things service to mark that the Internet of things equipment and the Internet of things service are own. And the identification authentication systems of different operators respectively sign the fusion identification of the respective Internet of things equipment and the Internet of things service.
Specifically, generating the first fusion identifier according to the attribute of the internet of things device includes:
the first fusion identification is obtained through an Internet of things gateway corresponding to the Internet of things equipment, and the Internet of things equipment is limited in capacity.
It should be noted that the internet of things gateway is used for connecting the internet of things equipment with limited capability and processing service requirements on the internet of things equipment with limited capability. The Internet of things gateway can serve multiple Internet of things devices or Internet of things services at the same time. There may be multiple internet of things gateways. And the Internet of things resources comprise Internet of things equipment, an Internet of things service system and other auxiliary systems.
The internet of things equipment with limited capability can obtain the signed fusion identifier from each service operator through the internet of things gateway.
S22, sending the first fusion identifier and the second fusion identifier to a decentralized storage system, or sending the first fusion identifier and the second fusion identifier to the decentralized storage system and a cloud storage system.
The signed fusion identifier is obtained, and the IOT equipment and the IOT service register the own fusion identifier (respectively through an IOT equipment agent module or an IOT service agent module) with the fusion authentication service system. The converged authentication service system stores the identities of the first and second converged identities in a decentralized storage system (via an identity storage agent module), and stores the identity document in a cloud storage system (via an identity document storage agent module). The converged authentication service system may also store the identities or identity documents of both the first converged identity and the second converged identity in a decentralized storage system. The identification document of the fused identification may be encrypted in advance by its owner.
Decentralized memory systems, typically memory systems based on block chain technology. The decentralized storage system utilizes the characteristics of multi-party consistent storage of data on a block chain, incapability of tampering and deleting written data, multi-party consensus, automatic execution of intelligent contracts and the like to ensure the reliability and credibility of the stored data. Meanwhile, the distributed calculation of the block chain can also improve the large-scale operation capacity. The decentralized storage system is used for storing the identification of the fusion identification and can also store the complete fusion identification.
Cloud storage systems, i.e. conventional cloud storage services. And the cloud storage system is used for storing and fusing the identified identification document part. The identification document is typically stored encrypted.
It should be noted that one service system or service of the internet of things may have more than two identifiers and one identifier document. When there are one or more identifiers, at least one identifier is stored in the identification document. The identification and related systems need to be stored in the decentralized storage system, and the identification documents can be stored in the decentralized system and also can be stored in the cloud storage system. When the identification and the identification document are stored separately, the associated information is needed, and the corresponding identification document is found according to the identification stored in the decentralized storage system.
The purpose of the decentralized storage system is to protect the identity from being modified illegally. When the identification and identification documents are stored in the decentralized storage system, the decentralized storage system ensures that the data is reliable. When the identifier is stored in the decentralized storage system and the identifier document is stored in the cloud storage system, an encrypted digest of the identifier document needs to be stored in the decentralized storage system along with the identifier to ensure that the identifier document is not illegally modified, and the identifier document can be found through association (uniform resource identifier, URI, and the like) and the identifier document. When the identity and identity document are stored separately, there may be multiple identities for one identity document for one internet of things resource.
And S23, sending the first fusion identifier and the second fusion identifier to a fusion authentication service system from the decentralized storage system or the cloud storage system.
The converged authentication service system is a system for providing a converged authentication service. The fusion authentication service system is cooperated with the identification authentication system, the decentralized storage system and the cloud storage system to provide identification analysis and identity authentication services for the services and the equipment of the Internet of things. The fusion authentication service is a fusion service integrating two service capabilities of identification analysis and identity authentication, and service objects are Internet of things equipment and Internet of things services. Whereas conventional identity resolution services are separate from authentication services and are typically provided by different systems.
And S24, verifying the first fusion identifier and the second fusion identifier, and if the verification is successful, performing the following steps.
S25, sending a first fusion identifier in the fusion authentication service system to the Internet of things equipment, and sending a second fusion identifier in the fusion authentication service system to the Internet of things service system, wherein the first fusion identifier comprises an identifier or an identifier document corresponding to the Internet of things service system, and the second fusion identifier comprises an identifier or an identifier document corresponding to the Internet of things equipment.
When the internet of things devices, the internet of things service systems and the internet of things devices access each other, the two cooperating parties respectively obtain the fusion identification (including the identification and the identification document) of the other party through the fusion authentication service system. The fusion authentication service system can respectively obtain the identification from the corresponding decentralized storage system through the agent module of the fusion authentication service system, and obtain the identification document from the cloud storage system. If the identification and the identification document are both stored in the decentralized storage system, the fusion authentication service system directly obtains the corresponding identification or the identification document from the corresponding decentralized storage system.
S26, judging whether the identifications of the Internet of things equipment and the Internet of things service system correspond to each other according to the first fusion identification and the second fusion identification, so that identification analysis and identity authentication between the Internet of things equipment and the Internet of things service system are achieved.
After the internet of things service system and the internet of things equipment take the fusion identifier of the other party, the identity of the other party can be directly analyzed and verified by analyzing and verifying the information in the identifier document of the fusion identifier. In the identity analysis and identity authentication processes, the system can interact with the fusion authentication service system to obtain support service. For example, if necessary, the identity authentication system and the signature identity may be authenticated via the converged authentication service system in cooperation with the corresponding identity authentication system.
Preferably, before sending the first fusion identifier in the fusion authentication service system to the internet of things device and sending the second fusion identifier in the fusion authentication service system to the service system of the internet of things, the method further includes:
if the first fusion identifier is changed into a third fusion identifier and the second fusion identifier is changed into a fourth fusion identifier, verifying the third fusion identifier and the fourth fusion identifier, if the verification is successful, sending the third fusion identifier in the fusion authentication service system to the Internet of things equipment, sending the fourth fusion identifier in the fusion authentication service system to the Internet of things service system, and realizing identifier resolution and identity authentication between the Internet of things equipment and the Internet of things service system according to the third fusion identifier and the fourth fusion identifier.
When the identification or authentication information of the internet of things resources (internet of things devices or internet of things services, etc.) changes, the internet of things resources can reapply the fusion identification and re-register.
Specifically, one case is: as shown in fig. 4, the internet of things device and the internet of things service system may register their fusion identifiers respectively. When the internet of things equipment accesses the internet of things service S1 and the internet of things service S2, the two services can directly identify and authenticate the internet of things equipment through fusing the authentication service system, so that the internet of things equipment is not required to register/log in the two services respectively.
The other situation is as follows: as shown in fig. 5, each internet of things service system (e.g., internet of things services S1, …, SM) and the internet of things device register their own identification information to the converged authentication service system. Correspondingly, the operators of the services and the equipment of the Internet of things detect and verify the registered identification information through the fusion authentication service system.
When some IOT equipment accesses any registered IOT service, the IOT equipment and the IOT service are directly authenticated with each other through the fusion authentication service system. This authentication process does not need to be turned back to the respective service operator system.
Further, in the fused tag, a validity field (e.g., a time validity field) is included. The operator and the internet of things resources can actively update the registration information. In the converged authentication service system, a special function module is included to accelerate the search and analysis (e.g., whether the converged identifier is expired, etc.) of the converged identifier.
The fusion identifier comprises an identifier analysis field and an identity authentication field, and is processed by methods such as abstract and encryption to ensure that the identifier information is not modified. The fusion identifier contains information of the operator and authentication information of the operator for equipment and service, so as to provide endorsements of the operator. The fusion authentication service system adopts a block chain-based technology to store and process the fusion identification, thereby ensuring the credibility, reliability and traceability of the participant to the stored identification information.
It should be noted that the fusion identifier in the present application is a novel identifier that fuses common identifier information and service authentication information. One internet of things resource can have one or more fusion identifiers, but one fusion identifier can only correspond to one internet of things resource. The fusion identifier can be generated by the resources of the Internet of things (Internet of things equipment, Internet of things services and the like) and then signed by an identifier authentication system of an operator; the fusion identifier can also be generated and signed by an identifier authentication system of the operator and then forwarded to the internet of things resource.
The mark can be composed of two marks which are in one-to-one correspondence. One of the identifiers is public and the other identifier is not public. The disclosed identity is stored in a decentralized storage system, the non-public identity is contained in an identity document, and the identity document is stored in a cloud storage system or a decentralized storage system in an encrypted manner. The fusion identifier may have only one identifier. The definition method of the identifier is not limited, and the only condition is global uniqueness. The identification document is a document storing fused identification-related information. In the markup document, the fused markup related information can be organized and stored in any parsable manner, for example, in JSON format, XML format, and the like.
The fusion identifier corresponds to a pair of public key and private key, and the related information of the public key (the public key, the generation and verification algorithm of the public key and the like) is stored in the identifier document as the component of the fusion identifier; the private key is stored in the resources of the Internet of things, and can also be backed up and stored in the operation system. The private key needs to be stored in a secure storage of the internet of things resources and operating system (e.g., in a secure accessory of the internet of things resources that is not freely accessible) to avoid unauthorized access or modification. The fusion identifier also comprises identity authentication information of resources of the Internet of things, and the identity authentication information is used as an important component of the identification document. The identity authentication information of the resources of the internet of things is signed by an identification authentication system of an operator.
The fusion authentication service system mainly comprises five types of modules, namely an internet of things service agent, an internet of things equipment agent, an identification authentication agent, an identification storage agent, an identification document storage agent and identification analysis and authentication.
The service agent module of the internet of things is connected with the service of the internet of things. In the fusion authentication service system, a plurality of internet of things service agent modules can be provided, and each internet of things service agent module is respectively connected with corresponding different types of internet of things services. And the Internet of things service is connected to the fusion authentication service system through the corresponding Internet of things service agent module. Through the service agent module of the internet of things, the fusion authentication service system provides functions of identification authentication, identification registration, identification inquiry, identification analysis, identity authentication assistance and the like for the services of the internet of things.
The Internet of things equipment agent module is connected with the Internet of things equipment. In the fusion authentication service system, a plurality of internet of things equipment agent modules can be provided, and each internet of things equipment agent module is respectively connected with corresponding different types of internet of things equipment. The Internet of things equipment is connected to the fusion authentication service system through the corresponding Internet of things equipment proxy module. Through the Internet of things equipment agent module, the fusion authentication service system provides functions of identification authentication, identification registration, identification inquiry, identification analysis, identity authentication assistance and the like for the Internet of things equipment.
The identification authentication agent module is connected with the identification authentication system. In the fusion authentication service system, there may be a plurality of identifier resolution agent modules, and each identifier resolution agent module is connected to corresponding different types of identifier authentication systems. Through the cooperation of the identification analysis agent module and the corresponding identification authentication system, the service of the internet of things and the equipment of the internet of things can obtain the signed identification or identification document, or apply for signing the identification or identification document, or request the identification authentication system to verify the self-signed identification or identification document.
The mark storage agent module is connected with the decentralized storage system. In the fusion authentication service system, a plurality of identification storage agent modules can be provided, and each identification storage agent module is respectively connected with different types of decentralized storage systems corresponding to the identification storage agent modules. The internet of things service and the internet of things device can store or extract the identification or identification document through the identification storage agent module and the corresponding decentralized storage system.
The identification is stored in the decentralized storage system, and the identification document corresponding to the identification can be stored in the decentralized storage system and also can be stored in the decentralized storage system. If the identifier is divided into two identifiers, the first identifier may be stored in the decentralized storage system, and meanwhile, the second identifier may be stored in the decentralized storage system or the cloud storage system.
The identification document storage agent module is connected with the cloud storage system. In the fusion authentication service system, a plurality of identification document storage agent modules can be provided, and each identification document storage agent module is respectively connected with different types of corresponding cloud storage systems. The identity document can be stored or extracted by the service and the equipment of the Internet of things through the cooperation of the identity storage agent module and the corresponding cloud storage system.
The identity analysis and authentication are cooperated with each agent module to provide identity analysis and identity authentication services for the Internet of things service and the Internet of things equipment.
The service of the internet of things and the gateway of the internet of things acquire the identification or the identification document of the other party through the fusion authentication service system, verify the credibility of the other party and simultaneously perform identification analysis and identity authentication. Because the identification and the corresponding identification document contain enough information, the Internet of things equipment and the Internet of things service can perform identification analysis and identity authentication one to one. This relieves the work and pressure of conventional identity resolution and authentication systems. If the internet of things equipment and the internet of things services can confirm whether the content of the identifier or the identifier document is credible and reliable or not through the corresponding identifier authentication system under the support of the fusion authentication service system in the one-to-one identifier analysis and identity authentication processes. The decentralized storage system ensures that the identity and corresponding identity document are stored reliably and reliably.
It should be noted that, in each of the above steps, the first fusion identifier or the first fusion identifier may be encrypted by the identifier owner, and in the interaction process, the two interacting parties exchange a key to implement encryption or decryption, thereby protecting data security and privacy.
In the mutual authentication method of the internet of things equipment and the internet of things service system, a decentralized method and system for resource identification analysis and identity authentication of the internet of things are provided. By using the authentication method, massive resources of the internet of things (including the internet of things equipment and the internet of things service system) can be safely identified, cooperated and authenticated mutually in a decentralized mode.
Example 3:
as shown in fig. 1 to fig. 3, the present embodiment provides a mutual authentication device for an internet of things device and an internet of things service system, including:
the first sending unit is used for sending a first fusion identifier in the fusion authentication service system to the Internet of things equipment and sending a second fusion identifier in the fusion authentication service system to the Internet of things service system, wherein the first fusion identifier comprises an identifier or an identifier document corresponding to the Internet of things equipment, and the second fusion identifier comprises an identifier or an identifier document corresponding to the Internet of things service system.
And the first judgment unit is used for judging whether the identifications of the Internet of things equipment and the Internet of things service system correspond to each other according to the first fusion identification and the second fusion identification so as to realize identification analysis and identity authentication between the Internet of things equipment and the Internet of things service system.
And the second sending unit is used for sending the first fusion identifier and the second fusion identifier to the fusion authentication service system from a decentralized storage system or from the decentralized storage system and a cloud storage system.
And the verification unit is used for verifying the first fusion identifier and the second message.
The first generating unit is used for generating a first fusion identifier according to the attribute of the Internet of things equipment and generating a second fusion identifier according to the attribute of the Internet of things service system.
And the third sending unit is used for sending the first fusion identifier and the second fusion identifier to the decentralized storage system or the decentralized storage system and the cloud storage system.
And the second generation unit is used for generating a first fusion identifier and a first key according to the attribute of the Internet of things equipment and generating a second fusion identifier and a second key according to the attribute of the Internet of things service system.
And the signature applying unit applies for signature to the first fusion identifier from the corresponding operator identifier authentication system according to the first key, and applies for signature to the second fusion identifier from the corresponding operator identifier authentication system according to the second key.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
While embodiments in accordance with the invention have been described above, these embodiments are not intended to be exhaustive or to limit the invention to the precise embodiments described. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best utilize the invention and various embodiments with various modifications as are suited to the particular use contemplated. The invention is limited only by the claims and their full scope and equivalents.

Claims (4)

1. A mutual authentication method for Internet of things equipment and an Internet of things service system is characterized by comprising the following steps:
generating a first fusion identifier according to the attribute of the service system of the Internet of things, and generating a second fusion identifier according to the attribute of the equipment of the Internet of things; the first fusion identifier comprises an identifier and an identifier document corresponding to the service system of the internet of things, and the second fusion identifier comprises an identifier and an identifier document corresponding to the equipment of the internet of things;
sending the first fusion identifier and the second fusion identifier to a decentralized storage system, or sending the first fusion identifier and the second fusion identifier to the decentralized storage system and a cloud storage system;
sending the first fusion identifier and the second fusion identifier from a decentralized storage system or from the decentralized storage system and a cloud storage system to a fusion authentication service system;
verifying the first fusion identifier and the second fusion identifier, if the verification is successful, sending the first fusion identifier in the fusion authentication service system to the Internet of things equipment, and sending the second fusion identifier in the fusion authentication service system to the Internet of things service system;
judging whether the identifications of the Internet of things equipment and the Internet of things service system correspond to each other according to the first fusion identification and the second fusion identification so as to realize identification analysis and identity authentication between the Internet of things equipment and the Internet of things service system;
the generating of the first fusion identifier according to the attribute of the service system of the internet of things and the generating of the second fusion identifier according to the attribute of the equipment of the internet of things comprise:
generating the first fusion identifier and a first key according to the attribute of the service system of the internet of things, and generating the second fusion identifier and a second key according to the attribute of the equipment of the internet of things;
according to the first key, writing first identity authentication information into the first fusion identifier through a corresponding operator identifier authentication system, applying for signing on the first fusion identifier through the corresponding operator identifier authentication system according to the first key, writing second identity authentication information into the second fusion identifier through the corresponding operator identifier authentication system according to the second key, and applying for signing on the second fusion identifier through the corresponding operator identifier authentication system according to the second key;
the signed identification document in the first fusion identification comprises information of the operator identification authentication system and identity authentication information of an operator to the service system of the internet of things; the signed identification document in the second fusion identification comprises the information of the operator identification authentication system and the identity authentication information of the operator to the internet of things equipment.
2. The method for mutual authentication between an internet of things device and an internet of things service system according to claim 1, wherein the generating the second fusion identifier according to the property of the internet of things device comprises:
and acquiring the second fusion identifier through an internet of things gateway corresponding to the internet of things equipment, wherein the internet of things equipment is limited in capability.
3. The mutual authentication method for the internet of things equipment and the internet of things service system according to claim 1, wherein before sending the first fusion identifier in the fusion authentication service system to the internet of things equipment and sending the second fusion identifier in the fusion authentication service system to the internet of things service system, the mutual authentication method further comprises:
if the first fusion identification is changed into a third fusion identification, the second fusion identification is changed into a fourth fusion identification, the third fusion identification and the fourth fusion identification are verified, if the verification is successful, the third fusion identification in the fusion authentication service system is sent to the Internet of things equipment, the fourth fusion identification in the fusion authentication service system is sent to the Internet of things service system, and identification analysis and identity authentication between the Internet of things equipment and the Internet of things service system are achieved according to the third fusion identification and the fourth fusion identification.
4. The utility model provides a mutual authentication equipment of thing networking equipment and thing networking business system which characterized in that includes:
the system comprises a first sending unit and a second sending unit, wherein the first sending unit is used for sending a first fusion identifier in a fusion authentication service system to the Internet of things equipment and sending a second fusion identifier in the fusion authentication service system to the Internet of things service system, the first fusion identifier comprises an identifier and an identifier document corresponding to the Internet of things service system, and the second fusion identifier comprises an identifier and an identifier document corresponding to the Internet of things equipment;
the first judging unit is used for judging whether the identifications of the Internet of things equipment and the Internet of things service system correspond to each other according to the first fusion identification and the second fusion identification so as to realize identification analysis and identity authentication between the Internet of things equipment and the Internet of things service system;
the apparatus further comprises:
a second sending unit, configured to send the first fusion identifier and the second fusion identifier from a decentralized storage system or from a decentralized storage system and a cloud storage system to the fusion authentication service system;
the verification unit is used for verifying the first fusion identifier and the second fusion identifier;
the apparatus further comprises:
the first generation unit is used for generating the first fusion identifier according to the attribute of the service system of the Internet of things and generating the second fusion identifier according to the attribute of the equipment of the Internet of things;
a third sending unit, configured to send the first fusion identifier and the second fusion identifier to the decentralized storage system or the decentralized storage system and the cloud storage system;
the apparatus further comprises:
the second generation unit is used for generating the first fusion identifier and the first key according to the attribute of the service system of the internet of things and generating the second fusion identifier and the second key according to the attribute of the equipment of the internet of things;
the signature applying unit applies for signature to the first fusion identifier through a corresponding operator identifier authentication system according to the first key, and applies for signature to the second fusion identifier through a corresponding operator identifier authentication system according to the second key;
the signed identification document in the first fusion identification comprises the information of the operator identification authentication system and the identity authentication information of an operator to the service system of the internet of things; the signed identification document in the second fusion identification comprises the information of the operator identification authentication system and the identity authentication information of the operator to the internet of things equipment.
CN202010659244.6A 2020-07-09 2020-07-09 Mutual authentication method and equipment for Internet of things equipment and Internet of things service system Active CN111835755B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010659244.6A CN111835755B (en) 2020-07-09 2020-07-09 Mutual authentication method and equipment for Internet of things equipment and Internet of things service system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010659244.6A CN111835755B (en) 2020-07-09 2020-07-09 Mutual authentication method and equipment for Internet of things equipment and Internet of things service system

Publications (2)

Publication Number Publication Date
CN111835755A CN111835755A (en) 2020-10-27
CN111835755B true CN111835755B (en) 2022-06-10

Family

ID=72900503

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010659244.6A Active CN111835755B (en) 2020-07-09 2020-07-09 Mutual authentication method and equipment for Internet of things equipment and Internet of things service system

Country Status (1)

Country Link
CN (1) CN111835755B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113490207B (en) * 2021-06-29 2024-02-06 深圳Tcl新技术有限公司 Internet of things equipment binding method and device, computer equipment and storage medium
CN113612854B (en) * 2021-08-16 2023-07-25 中国联合网络通信集团有限公司 Communication method, server and terminal based on block chain
CN114257406A (en) * 2021-11-17 2022-03-29 中国南方电网有限责任公司 Equipment communication method and device based on identification algorithm and computer equipment

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102868998A (en) * 2012-09-14 2013-01-09 中国联合网络通信集团有限公司 Method and device for visiting businesses of internet of things
CN108270571A (en) * 2017-12-08 2018-07-10 西安电子科技大学 Internet of Things identity authorization system and its method based on block chain
CN108512862A (en) * 2018-05-30 2018-09-07 博潮科技(北京)有限公司 Internet-of-things terminal safety certification control platform based on no certificates identified authentication techniques
CN109361520A (en) * 2018-12-24 2019-02-19 泰华智慧产业集团股份有限公司 Based on the internet of things equipment dynamic encrypting method for logging in serial number
CN109714174A (en) * 2019-02-18 2019-05-03 中国科学院合肥物质科学研究院 A kind of internet of things equipment digital identity management system and its method based on block chain
CN110024422A (en) * 2016-12-30 2019-07-16 英特尔公司 The name of Internet of Things and block chained record
GB201913969D0 (en) * 2018-09-28 2019-11-13 Infosys Ltd System and method for decentralized identity management, authentication and authorization of applications
WO2020073039A1 (en) * 2018-10-05 2020-04-09 Averon Us, Inc. Apparatuses, methods, and computer program products for secure access credential management
CN111241549A (en) * 2020-01-08 2020-06-05 广州中国科学院计算机网络信息中心 Credible analysis method under heterogeneous identification system
CN111327416A (en) * 2019-12-13 2020-06-23 刘高峰 Internet of things equipment access method and device and Internet of things platform

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10432585B2 (en) * 2017-02-25 2019-10-01 Xage Security, Inc. Autonomous decentralization of centralized stateful security services with systematic tamper resistance
US10924466B2 (en) * 2017-07-28 2021-02-16 SmartAxiom, Inc. System and method for IOT security

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102868998A (en) * 2012-09-14 2013-01-09 中国联合网络通信集团有限公司 Method and device for visiting businesses of internet of things
CN110024422A (en) * 2016-12-30 2019-07-16 英特尔公司 The name of Internet of Things and block chained record
CN108270571A (en) * 2017-12-08 2018-07-10 西安电子科技大学 Internet of Things identity authorization system and its method based on block chain
CN108512862A (en) * 2018-05-30 2018-09-07 博潮科技(北京)有限公司 Internet-of-things terminal safety certification control platform based on no certificates identified authentication techniques
GB201913969D0 (en) * 2018-09-28 2019-11-13 Infosys Ltd System and method for decentralized identity management, authentication and authorization of applications
WO2020073039A1 (en) * 2018-10-05 2020-04-09 Averon Us, Inc. Apparatuses, methods, and computer program products for secure access credential management
CN109361520A (en) * 2018-12-24 2019-02-19 泰华智慧产业集团股份有限公司 Based on the internet of things equipment dynamic encrypting method for logging in serial number
CN109714174A (en) * 2019-02-18 2019-05-03 中国科学院合肥物质科学研究院 A kind of internet of things equipment digital identity management system and its method based on block chain
CN111327416A (en) * 2019-12-13 2020-06-23 刘高峰 Internet of things equipment access method and device and Internet of things platform
CN111241549A (en) * 2020-01-08 2020-06-05 广州中国科学院计算机网络信息中心 Credible analysis method under heterogeneous identification system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
A Survey on Blockchain-Based Identity Management Systems for the Internet of Things;Xiaoyang Zhu et al;《 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData)》;20190630;全文 *
基于物联网的标识解析系统研究与实现;汪鹏;《中国优秀硕士论文全文库信息科技辑》;20150715;全文 *
物联网之核心技术RFID;马晶等;《伊犁师范学院学报(自然科学版)》;20101215(第04期);全文 *

Also Published As

Publication number Publication date
CN111835755A (en) 2020-10-27

Similar Documents

Publication Publication Date Title
CN108876374B (en) Block chain network identity document authentication method and system
US20210051023A1 (en) Cross-chain authentication method, system, server, and computer-readable storage medium
CN111835755B (en) Mutual authentication method and equipment for Internet of things equipment and Internet of things service system
CN109618326A (en) User's dynamic identifier generation method and service registration method, login validation method
CN102984127A (en) User-centered mobile internet identity managing and identifying method
CN112199726A (en) Block chain-based alliance trust distributed identity authentication method and system
CN101291216B (en) P2p network system and authentication method thereof
CN101841521A (en) Method, server and system for authenticating identify information in DNS message
CN104683306A (en) Safe and controllable internet real-name certification mechanism
CA2795745A1 (en) Cryptographic document processing in a network
CN106790045A (en) One kind is based on cloud environment distributed virtual machine broker architecture and data integrity support method
CN109978479A (en) A kind of electronic invoice method of charging out, device, data sharing server and system
CN111800426A (en) Method, device, equipment and medium for accessing native code interface in application program
CN116433425A (en) Case setting method based on alliance chain and related equipment
Gulati et al. Self-sovereign dynamic digital identities based on blockchain technology
US11882214B2 (en) Technique for cryptographic document protection and verification
CN113965425B (en) Access method, device and equipment of Internet of things equipment and computer readable storage medium
Garba et al. LightCERT4IoTs: Blockchain-based lightweight certificates authentication for IoT applications
CN104468074A (en) Method and equipment for authentication between applications
CN116366259A (en) Public verifiable Boolean search system and method for ciphertext data
CN116506118A (en) Identity privacy protection method in PKI certificate transparentization service
CN116074061A (en) Data processing method and device for rail transit, electronic equipment and storage medium
CN113221188B (en) AIS data evidence storage method, evidence obtaining method, device and storage medium
CN113872986B (en) Power distribution terminal authentication method and device and computer equipment
CN103139774B (en) Short message service processing method and short message service treatment system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant