CN113206816A

CN113206816A - Node access method, node access device, related equipment and computer readable storage medium

Info

Publication number: CN113206816A
Application number: CN202010078827.XA
Authority: CN
Inventors: 刘源; 龚国成; 方绍波; 马力; 冯诗正; 曹雪峰; 孙震
Original assignee: China Mobile Communications Group Co Ltd; China Mobile IoT Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile IoT Co Ltd
Priority date: 2020-02-03
Filing date: 2020-02-03
Publication date: 2021-08-03

Abstract

The invention provides a node access method, a node access device, related equipment and a computer readable storage medium. The method comprises the following steps: acquiring an authority authentication result aiming at the second node; the authority authentication result is obtained by verifying a target device based on an authority authentication code carried in a first access message sent by the second node, the target device is the first node or the server, and the authority authentication result indicates a target operation authority possessed by the second node; and executing the operation instruction matched with the target operation authority in the first access message. The embodiment of the invention can improve the flexibility of the control of the node access authority.

Description

Node access method, node access device, related equipment and computer readable storage medium

Technical Field

The embodiment of the invention relates to the technical field of communication, in particular to a node access method, a node access device, related equipment and a computer readable storage medium.

Background

The internet of things can be regarded as the interconnection of everything, and nodes of the network can be all objects capable of interacting by utilizing a network communication protocol, such as machine equipment, household electrical appliances, mobile equipment, network cameras and the like. The nodes communicate with each other by a protocol agreed with each other, and the interaction and control among the nodes are achieved by transmitting message instructions through communication channels. The basis for judging whether to accept the operation request of another node by one node is usually the identity authority.

However, in the existing node access method, after verifying that the identity authority of the access node is correct, the access node executes all the operation instructions in the access message sent by the access node, which results in poor flexibility of access control of the node.

Disclosure of Invention

Embodiments of the present invention provide a node access method, an apparatus, a related device, and a computer-readable storage medium, so as to solve the problem in the prior art that access control flexibility of a node is poor.

In a first aspect, an embodiment of the present invention provides a node access method, which is applied to a first node, and the method includes:

acquiring an authority authentication result aiming at the second node; the authority authentication result is obtained by verifying a target device based on an authority authentication code carried in a first access message sent by the second node, the target device is the first node or the server, and the authority authentication result indicates a target operation authority possessed by the second node;

and executing the operation instruction matched with the target operation authority in the first access message.

In a second aspect, an embodiment of the present invention further provides a node access method, which is applied to a server, where the method includes:

acquiring an authority authentication result aiming at the second node; the authority authentication result is obtained by verifying the server based on an authority authentication code carried in a first access message sent by the second node, and the authority authentication result indicates a target operation authority possessed by the second node.

Sending the second access message to the first node; the second access message comprises the authority authentication result, and the second access message is used for instructing the first node to execute the operation instruction matched with the target operation authority in the first access message.

In a third aspect, an embodiment of the present invention further provides a node access method, which is applied to a second node, and the method includes:

acquiring an authority authentication code; the authority authentication code is used for verifying a target device to obtain an authority authentication result, the target device is a first node or a server, and the authority authentication result indicates a target operation authority possessed by the second node;

generating a first access message based on the authority authentication code;

and sending the first access message to the first node, so that the first node executes the operation instruction matched with the target operation authority in the first access message.

In a fourth aspect, an embodiment of the present invention further provides a node access apparatus, which is applied to a first node, and the apparatus includes:

the first acquisition module is used for acquiring an authority authentication result aiming at the second node; the authority authentication result is obtained by verifying a target device based on an authority authentication code carried in a first access message sent by the second node, the target device is the first node or the server, and the authority authentication result indicates a target operation authority possessed by the second node;

and the execution module is used for executing the operation instruction matched with the target operation authority in the first access message.

In a fifth aspect, an embodiment of the present invention further provides a node access apparatus, which is applied to a server, where the apparatus includes:

the second acquisition module is used for acquiring the authority authentication result aiming at the second node; the authority authentication result is obtained by verifying the server based on an authority authentication code carried in a first access message sent by the second node, and the authority authentication result indicates a target operation authority possessed by the second node.

The first sending module is used for sending the second access message to the first node; the second access message comprises the authority authentication result, and the second access message is used for instructing the first node to execute the operation instruction matched with the target operation authority in the first access message.

In a sixth aspect, an embodiment of the present invention further provides a node access apparatus, which is applied to a second node, and the apparatus includes:

the third acquisition module is used for acquiring the authority authentication code; the authority authentication code is used for verifying a target device to obtain an authority authentication result, the target device is a first node or a server, and the authority authentication result indicates a target operation authority possessed by the second node;

the generating module is used for generating a first access message based on the authority authentication code;

and a second sending module, configured to send the first access message to the first node, so that the first node executes an operation instruction, which is matched with the target operation permission, in the first access message.

In a seventh aspect, an embodiment of the present invention further provides a first node, including a first processor, a first memory, and a computer program stored in the first memory and executable on the first processor, where the computer program, when executed by the first processor, implements the steps of the first node side node access method.

In an eighth aspect, an embodiment of the present invention provides a server, including a second processor, a second memory, and a computer program stored on the second memory and executable on the second processor, where the computer program, when executed by the second processor, implements the steps of the server-side node access method.

In a ninth aspect, an embodiment of the present invention provides a second node, including a third processor, a third memory, and a computer program stored in the third memory and executable on the third processor, where the computer program, when executed by the third processor, implements the steps of the second node side node access method.

In a tenth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, the computer program, when executed by a first processor, implementing the steps of the first node-side node access method, or when executed by a second processor, implementing the steps of the server-side node access method, or when executed by a third processor, implementing the steps of the second node-side node access method.

In the embodiment of the invention, the authority authentication result aiming at the second node is obtained through the first node; the authority authentication result is obtained by verifying a target device based on an authority authentication code carried in a first access message sent by the second node, the target device is the first node or the server, and the authority authentication result indicates a target operation authority possessed by the second node; and executing the operation instruction matched with the target operation authority in the first access message. Therefore, the target operation authority of the second node for accessing the first node can be determined through the authority authentication code carried in the first access message, and the second node can control the first node to complete specific operation only by obtaining the authority authentication code of the first node; in addition, the first node can separately control different operation authorities of the access node through different authority authentication codes, and therefore flexibility of control over the access authority of the node is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.

Fig. 1 is one of the flow diagrams of a node access method provided in the embodiment of the present invention;

fig. 2 is a second schematic flowchart of a node access method according to an embodiment of the present invention;

fig. 3 is a third schematic flowchart of a node access method according to an embodiment of the present invention;

FIG. 4 is an access interaction diagram of a node in node mode accessing a relevant device in the system;

FIG. 5 is an access interaction diagram of a node in a service center mode accessing a relevant device in the system;

fig. 6 is a schematic structural diagram of a node access apparatus according to an embodiment of the present invention;

fig. 7 is a second schematic structural diagram of a node access apparatus according to the embodiment of the present invention;

fig. 8 is a third schematic structural diagram of a node access apparatus according to an embodiment of the present invention;

fig. 9 is a schematic hardware structure diagram of a first node according to an embodiment of the present invention;

fig. 10 is a schematic hardware structure diagram of a server according to an embodiment of the present invention;

fig. 11 is a schematic hardware structure diagram of a second node according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The following first describes a node access method provided in an embodiment of the present invention.

It should be noted that the node access method provided in the embodiment of the present invention may be applied to a node access system, where the node access system may have two operation modules, and a first operation mode may be referred to as a node mode, and in the node mode, an access node (second node) may directly take a private key corresponding to a communication certificate of an accessed node (first node), sign the private key, and send the private key to the first node. In the node mode, the node access system at least comprises a first node and a second node, and when the first node is far away from the second node, the node access system further comprises a server, wherein the server is used for transferring a first access message sent by the second node.

The second operation mode may be referred to as a service center mode, in which the private key corresponding to the communication certificate of the first node is only stored in the server, the second node sends a message requesting access to the second node to the server, and the server signs a signature based on the private key corresponding to the communication certificate of the first node and then sends the signature to the second node. In the service center mode, the node access system includes a first node, a second node, and a server.

Referring to fig. 1, a flowchart of a node access method provided by the embodiment of the present invention is shown, and is applied to a first node. As shown in fig. 1, the method may include the steps of:

step 101, acquiring an authority authentication result aiming at a second node; the authority authentication result is obtained by verifying a target device based on an authority authentication code carried in a first access message sent by the second node, the target device is the first node or the server, and the authority authentication result indicates a target operation authority possessed by the second node;

and 102, executing the operation instruction matched with the target operation authority in the first access message.

The node access method of the embodiment is applied to a first node, and is used for acquiring an authority authentication result for a second node, and executing an operation instruction matched with a target operation authority in a first access message based on the target operation authority which the second node has and is indicated in the authority authentication result.

In the node mode, the authority authentication result is obtained by the first node through verification based on the authority authentication result carried in the first access message sent by the second node. And in the service center mode, the authority authentication result is verified by the server based on the authority authentication result carried in the first access message sent by the second node.

These two modes are described in detail below.

In the node mode, optionally, the step 101 specifically includes:

receiving a first access message of a second node, wherein the first access message carries an authority authentication code;

and verifying the operation authority of the second node based on the authority authentication code to obtain an authority authentication result.

In short-range communication, the second node may directly communicate with the first node, and receiving the first access message of the second node may be understood as receiving the first access message sent by the second node, and in long-range communication, the second node needs to relay the first access message sent by the second node to the first node through the server, and receiving the first access message of the second node may be understood as receiving the first access message sent by the second node relayed by the server.

And the first node verifies the operation authority of the second node based on the authority authentication code to obtain an authority authentication result. Specifically, the first node verifies the operation authority of the second node based on the authority authentication code type and the node pre-configuration to obtain an authority authentication result.

The authority authentication code type can be divided into three types.

The first type may be a fixed secret string, and optionally, if the type of the authority authentication code is a fixed secret string; the verifying the operation authority of the second node based on the authority authentication code to obtain an authority authentication result includes:

matching the authority authentication code based on a first operation authority list acquired in advance;

under the condition that matching is successful, determining the operation authority corresponding to the target secret character string in the first operation authority list as the target operation authority possessed by the second node; the first operation authority list comprises at least one secret character string and operation authority corresponding to each secret character string, and the target secret character string is a secret character string matched with the authority authentication result in the first operation authority list.

The first node may be configured with a first operation permission list in advance when leaving a factory, where the first operation permission list includes at least one secret character string and an operation permission corresponding to each secret character string, and thus, the first node may separately control different operation permissions of the access node by different permission authentication codes.

Optionally, the first operation authority list may further include a node corresponding to each secret character string, that is, the first node may further separately control the operation authority of different access nodes through the secret character string. For example, for the secret string a, it corresponds to the second node a1, i.e. only the second node a1 has the operation right corresponding to the secret string a based on the secret string a, and the second node a2 does not have the operation right corresponding to the secret string a based on the secret string a. Therefore, the flexibility of node access authority control can be further improved.

The first node may match the authority authentication code based on the first operation authority list, and determine, when the matching is successful, the operation authority corresponding to the target secret character string in the first operation authority list as the target operation authority possessed by the second node.

Optionally, the first node may further match the second node based on identification information of the second node, such as a node identification ID, to determine whether the second node has an operation right corresponding to the target secret character string.

The second type may be a dynamic response code, optionally, if the type of the authority authentication code is a dynamic response code; the verifying the operation authority of the second node based on the authority authentication code to obtain an authority authentication result includes:

comparing the authority authentication code with a target dynamic response code; the target dynamic response code is a dynamic response code sent to the first node by a server, and the target dynamic response code is a dynamic response code randomly generated by the server when the server receives a message of requesting to access the first node by the second node;

and under the condition that the comparison is successful, determining the preset operation authority with the type corresponding to the dynamic response code as the target operation authority possessed by the second node.

The second node organizes the login message to the server when requesting to access the first node, and the server can randomly generate a dynamic response code to the second node when receiving the message that the second node requests to access the first node, and simultaneously can also send the generated dynamic response code to the first node.

The first node compares the authority authentication code with a target dynamic response code; and under the condition that the comparison is successful, determining the preset operation authority with the type corresponding to the dynamic response code as the target operation authority possessed by the second node. For example, the intelligent lock (first node) presets the operation authority for opening the door, and the second node has the operation authority for opening the door only when the mobile terminal (second node) responds correctly to the dynamic response code generated by the server.

In addition, optionally, before determining that the preset operation permission of which the type is the type corresponding to the dynamic response code is the target operation permission possessed by the second node, the method further includes:

acquiring the response time of the second node for the authority authentication code;

determining whether the response time is within a preset time;

and under the condition that the response time is within the preset time, executing the step of determining the preset operation authority of which the type is the corresponding dynamic response code as the target operation authority possessed by the second node.

That is, the first node sets the response time of the dynamic response code, and the second node has the predetermined operation authority only when the second node responds to the dynamic response code within the preset time and the response is correct. Therefore, the access message of the second node can be prevented from being intercepted, and the access security of the first node is improved.

The preset time may be set according to an actual situation, for example, the preset time may be set to be within one minute of the server sending the dynamic response code, or may be set to be within one day of the server sending the dynamic response code, which is not limited herein.

The third type may be null, optionally, if the type of the authority authentication code is null; the verifying the operation authority of the second node based on the authority authentication code to obtain an authority authentication result includes:

determining the operation authority corresponding to the preset authority authentication code type being null as the target operation authority possessed by the second node; alternatively, the first and second electrodes may be,

and determining that the target operation authority possessed by the second node is the maximum operation authority accessible by the first node.

The first node may allow the second node to send an authority authentication code of which the type is null, where the fact that the authority authentication code of which the type is null may mean that the first node may have the set operation authority without verifying the authority authentication code, and the set operation authority may be the maximum operation authority accessible to the first node. The method can also be understood as that the server has verified the authority authentication code sent by the second node, and sends the authority authentication code with the type of null to the first node, and the server has verified that the second node has the operation authority of all the operation instructions in the first access message by default.

In the service center mode, optionally, the step 101 specifically includes:

receiving a second access message sent by the server; the second access message comprises an authority authentication result aiming at the second node, and the authority authentication result is obtained by verifying the server based on an authority authentication code carried in the first access message sent by the second node.

In the service center mode, the server verifies that the authority authentication code carried in the first access message sent by the second node is the same as that of the first node, and details thereof are not repeated here.

In step 102, the first node executes the operation instruction matching with the target operation authority in the first access message correspondingly, and the operation instruction exceeding the authority is ignored.

Further, before performing the operation authority authentication, the first node needs to perform the identity authentication on the second node. In order to ensure the access security, the second node needs to encrypt the message for accessing the first node, and then sends the access message to the first node through signature. Correspondingly, the first node performs the label release first and then performs the decryption, and under the condition that the label release and the decryption are both successful, the identity authentication is completed, and the second node is allowed to access the first node.

Optionally, the first access message includes first signature information generated by the second node based on a private key corresponding to the communication certificate of the first node; before the obtaining of the authority authentication result for the second node, the method further includes:

the first signature information is de-signed based on a communication certificate set acquired in advance; the communication certificate set comprises at least one communication certificate, and the communication certificate is used for verifying the identity validity of the second node;

and if the label is successfully released, executing the step of acquiring the authority authentication result aiming at the second node.

The communication certificate can be understood as a certificate for signing an access message sent by a node, and has the functions that the node sending the message signs the message by using a private key corresponding to the communication certificate, and the node receiving the message verifies the message by using the communication certificate. Therefore, the communication certificate can be used for verifying the identity validity of the second node, and the access message sent by the second node can be determined to be a legal message under the condition that the logout is successful, otherwise, the access message sent by the second node is not considered due to the communication failure.

The communication certificate set comprises a communication certificate trusted by the first node, and the communication certificate trusted by the first node is a communication certificate registered in the first node initialization process.

In order to enable a second node to access the first node, the communication certificate of the second node and the first node needs to be written into a communication certificate set in advance. Optionally, before the first signature information is de-signed based on the pre-acquired communication certificate set, the method further includes:

receiving a write message sent by the second node; the write message comprises a communication certificate generated by the second node;

and writing the communication certificate generated by the second node into the communication certificate set of the first node under the condition that the write message passes verification.

And when the first node is in an initialization state, receiving a write message sent by the second node. And the first node verifies whether the written data and the state are correct or not, and writes the communication certificate generated by the second node into the communication certificate set of the first node under the condition of passing the verification.

Optionally, the first access message is an access message generated after the second node encrypts the permission authentication code based on a first encryption public key of the first node acquired in advance; the obtaining of the authority authentication result for the second node includes:

decrypting the first access message based on a first encryption private key corresponding to the first encryption public key to obtain a decryption result;

and under the condition that the decryption result shows that the verification is successful, acquiring the authority authentication result aiming at the second node from the decrypted first access message.

Optionally, after the executing the operation instruction matched with the target operation authority in the first access message, the method further includes:

encrypting an operation result message based on a second encryption public key of the second node; wherein the operation result message comprises an execution result of an operation instruction in the first access message;

signing the encrypted operation result message based on the signature private key of the first node to obtain second signature information of the first node;

sending a return result message to the second node; wherein the return result message includes the encrypted operation result message and second signature information of the first node.

The operation result message includes an execution result of the operation instruction in the first access message, for example, the first access message includes operation instruction a1, operation instruction a2, and operation instruction A3, the execution result of operation instruction a1 and operation instruction a2 is "successful", and operation instruction A3 is an operation instruction that exceeds the authority, the execution result may be "failure", and the reason of the failure may be that the authority is exceeded, and execution is not responded.

In the embodiment of the invention, only the node with the private key of the communication certificate can be accessed by verifying the communication certificate signature of the access message, and the specific access operation authority is determined by the authority authentication code of the access message. Therefore, the service center can be established on the common cloud, the control service center can not control the nodes, and the specific operation can be completed only by obtaining the authority authentication code of the corresponding node, so that the specific node can only access the specific function, and the access operation authority of the node can be flexibly controlled.

Moreover, the node access system can be compatible with distributed access authority control of a service center mode and a node mode and can adapt to network structures of different scales and modes.

In addition, the access message is encrypted by using the public key of the equipment encryption certificate of the accessed node, and the service center cannot acquire the specific content of the access message, so that the forwarding of the service center can realize the penetration of a local area network, and the accessed node does not need to have a fixed wide area network address.

It should be noted that, the various embodiments described in the embodiments of the present invention may be implemented by combining with each other or by separately, and the embodiments of the present invention are not limited thereto.

Referring to fig. 2, a second flowchart of the node access method provided by the embodiment of the present invention is shown, and is applied to a server. As shown in fig. 2, the method may include the steps of:

step 201, acquiring an authority authentication result aiming at a second node; the authority authentication result is obtained by verifying the server based on an authority authentication code carried in a first access message sent by the second node, and the authority authentication result indicates a target operation authority possessed by the second node;

step 202, sending the second access message to the first node; the second access message comprises the authority authentication result, and the second access message is used for instructing the first node to execute the operation instruction matched with the target operation authority in the first access message.

In step 201, the mode of the node accessing the system is a service center mode, and the second node must access the first node by means of a server. Specifically, the step 201 specifically includes:

receiving a first access message sent by a second node; wherein, the first access message carries an authority authentication code;

And verifying the operation authority of the second node based on the authority authentication code, wherein the process of obtaining the authority authentication result is the same as that of the first node, and the process is not repeated here.

In step 202, the second access message carrying the authority authentication result is sent to the first node. The authority authentication result may be a target operation authority possessed by the second node, or may be an authority authentication code of which the type is null, which is not specifically limited herein.

The service center mode is different from the node mode in that in the service center mode, a private key corresponding to a communication certificate of a first node only exists in a server, and therefore the server needs to perform identity authentication on a second node before acquiring an authority authentication result for the second node.

Optionally, the first access message includes third signature information generated by the second node based on a signature private key of the second node; before the obtaining of the authority authentication result for the second node, the method further includes:

acquiring an association list of the first node; wherein the association list comprises signature public keys of other nodes associated with the first node;

performing de-signing on the third signature information based on the association list;

The server stores an association list between communicable nodes, for example, if node a and node B can communicate, the public signature keys of node a and node B are stored in association. Therefore, the association list of the first node may be obtained from the server based on the public signature key of the first node, where the association list includes the public signature key of the first node and the public signature keys of other nodes associated with the first node.

In order to enable a second node to access the first node, the signature public key of the second node needs to be registered in the first node in advance, and the first node registers the second node to a server in an associated manner. Optionally, before obtaining the association list of the first node, the method further includes:

receiving a registration message sent by the first node; wherein the registration message comprises a public signature key of the second node and a public signature key of the first node;

and storing the signature public key of the second node and the signature public key of the first node in an associated manner.

Optionally, the second access message further includes fourth signature information generated by the server based on a private key corresponding to the communication certificate of the first node; after obtaining the authority authentication result for the second node, the method further includes:

signing the message carrying the authority authentication result based on a private key corresponding to the communication certificate of the first node to generate the second access message; wherein the second access message includes the fourth signature information.

It should be noted that, this embodiment is used as an implementation manner of the server corresponding to the embodiment shown in fig. 1, and specific implementation manners thereof may refer to relevant descriptions of the embodiment shown in fig. 1 and achieve the same beneficial effects, and are not described herein again to avoid repeated descriptions.

Referring to fig. 3, a third flowchart of the node access method provided by the embodiment of the present invention is shown, and is applied to a second node. As shown in fig. 3, the method may include the steps of:

step 301, acquiring an authority authentication code; the authority authentication code is used for verifying a target device to obtain an authority authentication result, the target device is a first node or a server, and the authority authentication result indicates a target operation authority possessed by the second node;

step 302, generating a first access message based on the authority authentication code;

step 303, sending the first access message to the first node, so that the first node executes an operation instruction matched with the target operation authority in the first access message.

Optionally, after sending the first access message to the first node, the method further includes:

receiving a return result message of the first node; wherein the return result message includes an execution result of the operation instruction in the first access message.

It should be noted that, this embodiment is used as an implementation manner of the second node corresponding to the embodiment shown in fig. 1, and specific implementation manners thereof may refer to relevant descriptions of the embodiment shown in fig. 1 and achieve the same beneficial effects, and are not described herein again to avoid repeated descriptions.

For better understanding of the present invention, the following detailed description of the present invention is given by way of specific examples.

When the node leaves a factory, the unified identity authentication center of the Internet of things issues an equipment identity certificate, namely a signature key pair (comprising a signature private key and a corresponding signature public key), and an equipment encryption certificate, namely an encryption key pair (comprising an encryption private key and a corresponding encryption public key), wherein the equipment identity certificate is used for uniquely identifying the node.

When the node is connected to the internet of things, the node is registered with the service center by using the equipment identity certificate, and the equipment information including the equipment encryption certificate is registered with the service center. When other nodes send messages to the node, the equipment encryption certificate is used for encrypting the messages to be sent, and then the encrypted messages are signed by the communication certificate, and the signature information and the encrypted messages form a complete access message.

The private key corresponding to the communication certificate of the node can be stored in the access node (such as a mobile phone of a user), or stored in a unified identity authentication center, and the authentication center performs identity authentication on the node and then signs the message by using the private key corresponding to the communication certificate of the accessed node to generate a final access message.

The authority authentication code of the node, such as a secret character string, can be stored in the service center during registration, sent to other nodes with authority by the service center, or directly obtained from the corresponding node by other nodes through other ways (such as from node materials). For example, the smart home in the home controlled by the mobile phone may use this method to obtain the secret character string and the device encryption certificate of the node from the housing of the smart home, and access the service center through the internet to control the smart home. In the mode, the secret character string determining the specific access right only exists on the controlled mobile phone node, and other nodes in the Internet of things do not have the complete right of accessing the smart home. In this way, the service center mainly plays the roles of communication certificate deployment and message forwarding LAN node penetration. Therefore, the authority authentication code and the equipment encryption certificate are directly acquired through the node and are not acquired through the service center, and the control of the user on the node can be perfectly realized to have high-strength safety.

When the node scale is small and the communication links between the nodes can be directly connected without transferring through the service center, the node stores the equipment encryption certificate and the communication certificate of the opposite node, and the nodes can directly communicate with each other.

The certificate for verifying the identity of other nodes by the node is hereinafter referred to as a node communication certificate, and can be written by an initialization program when the node is initialized when accessing a network. The process is that an initialization program obtains an equipment initialization key from a node manufacturer, a prepared node communication certificate is encrypted by the equipment initialization key and then is transmitted in through a communication mode designed by a node, the node decrypts the transmitted data by the built-in initialization key and verifies the validity of the data, and if the node is successful, the communication certificate is stored. Encryption uses a symmetric algorithm such as SM4 and data validity verification uses a message authentication code HMAC.

The initialization key of the node can be attached to the data issued by the node, after the communication certificate of the node is written in, if the communication certificate needs to be written again, the factory setting state of the equipment needs to be restored, and different factory restoration state restoration modes are designed for the equipment according to the purposes of the equipment.

Referring to fig. 4, fig. 4 shows an access interaction diagram of a node in a node mode accessing a relevant device in a system, as shown in fig. 4, including the following steps:

first, when the second node initializes the first node, the second node writes the generated communication certificate into the first node, and at the same time, the first node may connect to the service center, and register the device identity certificate, the communication certificate, and the device encryption certificate of the first node in the service center.

The second node then sends an access message.

The access message may include a ciphertext operation instruction, that is, an encrypted operation instruction, first signature information generated based on a private key corresponding to a communication certificate of the first node, and an authority authentication code, and the access message may further include an equipment identity certificate of the first node, so that in remote communication, the service center finds the network address of the first node according to the equipment identity certificate of the first node, and sends the access message to the first node based on the network address of the first node.

In short-range communication, the second node directly sends an access message to the first node; in the remote communication, the second node sends the access message to the service center, the service center finds the network address of the first node based on the equipment identity certificate of the first node, and sends the access message to the first node based on the network address of the first node.

The first node then authenticates the second node based on the access message.

The first node firstly signs off the first signature information based on a communication certificate set acquired in advance, decrypts the ciphertext operation instruction under the condition that signing off is successful, obtains a plaintext operation instruction, namely the decrypted operation instruction, and under the condition that a decryption result shows that verification is successful, the identity authentication of the second node is successful.

And then, under the condition that the first node successfully authenticates the identity of the second node, the target operation authority possessed by the second node is determined based on the authority authentication code in the access message.

And then, the first node executes the operation instruction matched with the target operation authority in the first access message to obtain an operation result message.

Wherein the operation result message includes an execution result of the operation instruction in the first access message.

Then, the first node encrypts and signs the operation result message, and then generates a return result message.

Wherein the return result message includes the encrypted operation result message and second signature information of the first node.

And finally, the first node sends a return result message to the second node.

In short-range communication, the first node directly sends a return result message to the second node; in the remote communication, the first node sends the return result message to the service center, the service center finds the network address of the second node based on the equipment identity certificate of the second node, and sends the return result message to the second node based on the network address of the second node.

Referring to fig. 5, fig. 5 shows an access interaction diagram of a node in a service center mode accessing a relevant device in a system, as shown in fig. 5, including the following steps:

firstly, short-range communication between a first node and a second node is established, the first node acquires an equipment identity certificate of the second node in an initialization state, the equipment identity certificate of the first node and the equipment identity certificate of the second node are registered to a service center, and the service center binds the first node and the second node.

The second node then sends an access message to the service center.

The access message may include a ciphertext operation instruction, that is, an encrypted operation instruction, third signature information generated based on the device identity certificate of the second node, and an authority authentication code, and the access message may further include the device identity certificate of the first node, so that the service center obtains the node bound to the first node according to the device identity certificate of the first node, finds the network address of the first node according to the device identity certificate of the first node, and sends the access message to the first node based on the network address of the first node.

Then, the service center finds the association list of the first node and carries out identity authentication on the second node.

And the association list of the first node comprises the equipment identity certificates of other nodes bound with the first node. And performing label release on the third signature information based on the association list, and determining that the identity authentication of the second node is successful under the condition that the label release is successful.

Then, the service center verifies the operation authority of the second node based on the authority authentication code in the access message, and generates an authority authentication result, wherein the authority authentication result indicates the target operation authority possessed by the second node.

Then, the service center signs the message carrying the authority authentication result based on the private key corresponding to the communication certificate of the first node, and generates another access message.

And the other access message comprises fourth signature information generated by the service center based on a private key corresponding to the communication certificate of the first node.

The service center then sends another access message to the first node.

And then, under the condition that the identity authentication of the second node is successful, the first node determines the target operation authority possessed by the second node based on the authority authentication result in the other access message.

Then, the first node sends a return result message to the service center.

And finally, the service center sends the return result message to the second node.

The following description will be made in detail with reference to the first node as a door lock and the second node as a mobile phone as an example.

Application embodiment one (door lock control in node mode)

Scene description: the door lock is connected with the router WiFi to surf the internet, and the door of the door lock is controlled to be opened by a program of a mobile client.

And (5) initializing the door lock. Specifically, the initialization password is acquired from the door lock data, the mobile phone with the Bluetooth function is used for connecting the door lock, the door lock of the mobile phone is used for controlling the APP to generate a communication certificate, and the initialization password is used for encrypting and then writing the communication certificate into the door lock. Correspondingly, the inside of the door lock verifies the written data and state, and the communication certificate is successfully written. The door lock is connected with the service center, generates a registration message, signs with the equipment identity certificate, registers the equipment identity certificate, the communication certificate and the equipment encryption certificate of the door lock to the service center, and keeps uninterrupted network connection with the service center.

And acquiring the secret character string from the door lock data, and storing the equipment encryption certificate and the equipment identity certificate of the door lock in a door lock control APP of the mobile phone.

The user controls the APP to open the door through the door lock of the mobile phone. Specifically, the door lock of the mobile phone controls the APP to generate a door opening message, the door opening message generates an equipment encryption certificate, a secret character string and an equipment encryption certificate of the door lock, which need to be used, the equipment encryption certificate public key of the door lock is used for encrypting the message, the door opening message and the equipment identity certificate of the door lock form a door opening message, and then a private key corresponding to the communication certificate is used for signature.

If the mobile phone can be directly connected with the door lock, namely short-range communication, the mobile phone directly sends the door opening message to the door lock. If the mobile phone can not be directly connected with the door lock, namely remote communication, the door opening message is sent to the service center, the service center finds out the network address of the door lock according to the equipment identity certificate of the door lock, and the door opening message is sent to the door lock.

And after the door lock receives the door opening message, the signature is verified by using the communication certificate, the signature is decrypted by using the equipment encryption certificate private key of the door lock, whether the secret character string is correct or not is checked after the verification is successful and the decryption verification is passed, the door opening action is executed after the secret character string is correct, and a return result message is generated based on the operation result message. And the returned result message is encrypted by using the public key of the equipment encryption certificate of the mobile phone and is signed by using the equipment identity certificate of the door lock.

And during short-range communication, the return result message is directly sent to the mobile phone, and during long-range communication, the return result message is sent to the service center, and the service center returns to the mobile phone.

And the door lock of the mobile phone controls the APP to obtain a door opening result. Specifically, the mobile phone verifies the received returned result message by using the equipment identity certificate of the door lock, and decrypts the returned result message by using a private key corresponding to the equipment encryption certificate of the mobile phone after the verification is passed, so as to obtain an operation result message.

Application example two (door lock control in service center mode)

Scene description: the door lock is pre-manufactured with an equipment identity certificate and a corresponding private key of the door lock, an equipment encryption certificate and a corresponding private key, and a trusted communication certificate. The door lock is connected with a service center through a network, a communication certificate private key trusted by the door lock is only stored in the service center, the service center sends node information passing authentication to the door lock by using a communication certificate signature, the service center authenticates the node by using an equipment identity certificate of the node, and the equipment identity certificate of the node is stored in the service center for the first time and is verified by using the equipment identity certificate of the door lock. The equipment identity certificate of the door lock is uploaded to a service center by a manufacturer, and the service center uses a preset manufacturer certificate to carry out verification.

And (5) initializing the door lock. The user uses the cell-phone to connect through bluetooth and lock, has set up LAN network connection for the lock. The device identity certificate is downloaded from the personal certificate center by the door lock control APP of the mobile phone, and the private key is stored in the door lock control APP or the security key module of the mobile phone. And acquiring a door lock initialization key from the door lock data, encrypting the equipment identity certificate of the mobile phone by using the initialization key, and sending the encrypted equipment identity certificate to the door lock. After the door lock passes the verification, the equipment identity certificate of the mobile phone is extracted, the equipment encryption certificate and the equipment identity certificate of the door lock are added to form registration information, and the registration information is signed by the equipment identity certificate of the door lock and then sent to the service center for registration. And after the verification is successful, the service center stores the equipment encryption certificate of the door lock and binds the equipment identity certificate of the mobile phone and the equipment identity certificate of the door lock.

The door lock of cell-phone control APP opens the door long-rangely. Specifically, the door lock control APP of the mobile phone generates a door opening message, the door opening message is encrypted by using an equipment encryption certificate of the door lock, the door opening message is composed of the secret character string and an equipment identity certificate of the door lock, and the door opening message is signed by using the equipment identity certificate of the mobile phone and then sent to the service center. The service center obtains the equipment identity certificate of the mobile phone through the binding relationship between the equipment identity certificate of the door lock and the equipment identity certificate of the mobile phone, verifies the door opening message by using the equipment identity certificate of the mobile phone, verifies the operation authority of the mobile phone based on the secret character string after the verification is passed, and generates an authority authentication result after the verification is passed so as to inform the door lock whether the mobile phone has the operation authority for opening the door.

Further, the service center uses the communication certificate private key of the door lock to sign the door opening message carrying the authority authentication result, then sends the door opening message to the door lock, receives the return result message, and forwards the return result message to the mobile phone.

In addition, the door lock control APP of the mobile phone can send an authorization message to be signed to the door lock, the door lock signs the received authorization message with the equipment identity certificate and then returns a result to the door lock control APP of the mobile phone, and under the condition that the returned result is that the door lock agrees to authorization, after the door lock control APP of the mobile phone sends the signed authorization message to the service center, the service center can add a door lock control authority to another user after verification is passed.

The following describes a node access apparatus provided in an embodiment of the present invention.

Referring to fig. 6, a schematic structural diagram of a node access apparatus according to an embodiment of the present invention is shown. Applied to a first node, as shown in fig. 6, the node accessing apparatus 600 includes:

a first obtaining module 601, configured to obtain an authority authentication result for a second node; the authority authentication result is obtained by verifying a target device based on an authority authentication code carried in a first access message sent by the second node, the target device is the first node or the server, and the authority authentication result indicates a target operation authority possessed by the second node;

an executing module 602, configured to execute the operation instruction matched with the target operation permission in the first access message.

Optionally, the first obtaining module 601 includes:

a first receiving unit, configured to receive a first access message of a second node, where the first access message carries an authority authentication code;

and the verification unit is used for verifying the operation authority of the second node based on the authority authentication code to obtain an authority authentication result.

Optionally, the first obtaining module 601 includes:

the second receiving unit is used for receiving a second access message sent by the server; the second access message comprises an authority authentication result aiming at the second node, and the authority authentication result is obtained by verifying the server based on an authority authentication code carried in the first access message sent by the second node.

Optionally, if the type of the authority authentication code is a fixed secret character string; the verification unit is specifically used for matching the authority authentication code based on a first operation authority list acquired in advance; under the condition that matching is successful, determining the operation authority corresponding to the target secret character string in the first operation authority list as the target operation authority possessed by the second node; the first operation authority list comprises at least one secret character string and operation authority corresponding to each secret character string, and the target secret character string is a secret character string matched with the authority authentication result in the first operation authority list.

Optionally, if the type of the authority authentication code is a dynamic response code; the verification unit is specifically used for comparing the authority authentication code with a target dynamic response code; the target dynamic response code is a dynamic response code sent to the first node by a server, and the target dynamic response code is a dynamic response code randomly generated by the server when the server receives a message of requesting to access the first node by the second node; and under the condition that the comparison is successful, determining the preset operation authority with the type corresponding to the dynamic response code as the target operation authority possessed by the second node.

Optionally, the verification unit is further configured to obtain a response time of the second node for the permission authentication code; determining whether the response time is within a preset time; and under the condition that the response time is within the preset time, executing the step of determining the preset operation authority of which the type is the corresponding dynamic response code as the target operation authority possessed by the second node.

Optionally, if the type of the authority authentication code is null; the verification unit is specifically configured to determine an operation permission corresponding to a preset permission authentication code type being null as a target operation permission possessed by the second node; or, determining that the target operation authority possessed by the second node is the maximum operation authority accessible by the first node.

Optionally, the first access message includes first signature information generated by the second node based on a private key corresponding to the communication certificate of the first node; the node accessing apparatus 600 further includes:

the first signature release module is used for releasing the signature of the first signature information based on a communication certificate set acquired in advance; the communication certificate set comprises at least one communication certificate, and the communication certificate is used for verifying the identity validity of the second node;

the first triggering module is configured to trigger the first obtaining module 601 under the condition that the logout is successful.

Optionally, the node accessing apparatus 600 further includes:

a first receiving module, configured to receive a write message sent by the second node; the write message comprises a communication certificate generated by the second node;

and the writing module is used for writing the communication certificate generated by the second node into the communication certificate set of the first node under the condition that the written message passes verification.

Optionally, the first access message is an access message generated after the second node encrypts the permission authentication code based on a first encryption public key of the first node acquired in advance; the first obtaining module 601 further includes:

the first obtaining unit is used for decrypting the first access message based on a first encryption private key corresponding to the first encryption public key to obtain a decryption result;

and the second obtaining unit is used for obtaining the authority authentication result aiming at the second node from the decrypted first access message under the condition that the decryption result shows that the verification is successful.

Optionally, the node accessing apparatus 600 further includes:

the encryption module is used for encrypting the operation result message based on a second encryption public key of the second node; wherein the operation result message comprises an execution result of an operation instruction in the first access message;

the first signature module is used for signing the encrypted operation result message based on the signature private key of the first node to obtain second signature information of the first node;

a third sending module, configured to send a return result message to the second node; wherein the return result message includes the encrypted operation result message and second signature information of the first node.

The node access apparatus 600 can implement each process implemented by the first node in the first node side node access method embodiment, and can achieve the same technical effect, and for avoiding repetition, details are not described here again.

Referring to fig. 7, a second schematic structural diagram of a node access apparatus according to an embodiment of the present invention is shown. Applied to a server, as shown in fig. 7, a node access apparatus 700 includes:

a second obtaining module 701, configured to obtain an authority authentication result for a second node; the authority authentication result is obtained by verifying the server based on an authority authentication code carried in a first access message sent by the second node, and the authority authentication result indicates a target operation authority possessed by the second node.

A first sending module 702, configured to send the second access message to the first node; the second access message comprises the authority authentication result, and the second access message is used for instructing the first node to execute the operation instruction matched with the target operation authority in the first access message.

Optionally, the second obtaining module 701 is specifically configured to receive a first access message sent by a second node; wherein, the first access message carries an authority authentication code; and verifying the operation authority of the second node based on the authority authentication code to obtain an authority authentication result.

Optionally, the first access message includes third signature information generated by the second node based on a signature private key of the second node; the node accessing apparatus 700 further includes:

a third obtaining module, configured to obtain an association list of the first node; wherein the association list comprises signature public keys of other nodes associated with the first node;

the second signature release module is used for releasing the signature of the third signature information based on the association list;

and a second triggering module, configured to trigger the second obtaining module 701 when the logout is successful.

Optionally, the node access apparatus 700 further includes:

a second receiving module, configured to receive a registration message sent by the first node; wherein the registration message comprises a public signature key of the second node and a public signature key of the first node;

and the association storage module is used for performing association storage on the signature public key of the second node and the signature public key of the first node.

Optionally, the second access message further includes fourth signature information generated by the server based on a private key corresponding to the communication certificate of the first node; the node accessing apparatus 700 further includes:

the second signature module is used for signing the message carrying the authority authentication result based on a private key corresponding to the communication certificate of the first node to generate a second access message; wherein the second access message includes the fourth signature information.

The node access apparatus 700 can implement each process implemented by the server in the server-side node access method embodiment, and can achieve the same technical effect, and for avoiding repetition, details are not described here again.

Referring to fig. 8, a third schematic structural diagram of a node access apparatus according to the embodiment of the present invention is shown. Applied to the second node, as shown in fig. 8, the node access apparatus 800 includes:

a third obtaining module 801, configured to obtain an authority authentication code; the authority authentication code is used for verifying a target device to obtain an authority authentication result, the target device is a first node or a server, and the authority authentication result indicates a target operation authority possessed by the second node;

a generating module 802, configured to generate a first access message based on the authority authentication code;

a second sending module 803, configured to send the first access message to the first node, so that the first node executes an operation instruction, which is matched with the target operation permission, in the first access message.

Optionally, the node accessing apparatus 800 further includes:

a third receiving module, configured to receive a return result message of the first node; wherein the return result message includes an execution result of the operation instruction in the first access message.

The node access apparatus 800 can implement each process implemented by the second node in the second node side node access method embodiment, and can achieve the same technical effect, and for avoiding repetition, details are not described here again.

Referring to fig. 9, a schematic diagram of a hardware structure of a first node according to an embodiment of the present invention is shown. As shown in fig. 9, the first node 900 includes: a first processor 901, a first memory 902, a first user interface 903 and a first bus interface 904.

The first processor 901 is configured to read the program in the first memory 902, and execute the following processes:

In fig. 9, the bus architecture may include any number of interconnected buses and bridges, with one or more processors represented by the first processor 901 and various circuits of the memory represented by the first memory 902 being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The first bus interface 904 provides an interface. For different user devices, the first user interface 903 may also be an interface capable of interfacing with a desired device, including but not limited to a keypad, a display, a speaker, a microphone, a joystick, etc.

The first processor 901 is responsible for managing a bus architecture and general processing, and the first memory 902 may store data used by the first processor 901 when performing operations.

Preferably, an embodiment of the present invention further provides a first node, including a first processor 901, a first memory 902, and a computer program stored in the first memory 902 and capable of running on the first processor 901, where the computer program, when executed by the first processor 901, implements each process of the first node-side node access method embodiment, and can achieve the same technical effect, and details are not described here to avoid repetition.

Referring to fig. 10, a schematic diagram of a hardware structure of a server according to an embodiment of the present invention is shown. As shown in fig. 10, the server 1000 includes: a second processor 1001, a second memory 1002, a second user interface 1003 and a second bus interface 1004.

The second processor 1001, configured to read the program in the second memory 1002, executes the following processes:

acquiring an authority authentication result aiming at the second node; the authority authentication result is obtained by verifying the server based on an authority authentication code carried in a first access message sent by the second node, and the authority authentication result indicates a target operation authority possessed by the second node;

In fig. 10, the bus architecture may include any number of interconnected buses and bridges, with one or more processors represented by the second processor 1001 and various circuits of the memory represented by the second memory 1002 being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A second bus interface 1004 provides an interface. For different user devices, the second user interface 1003 may also be an interface capable of externally connecting a desired device, including but not limited to a keypad, a display, a speaker, a microphone, a joystick, etc.

The second processor 1001 is responsible for managing a bus architecture and general processing, and the second memory 1002 may store data used by the second processor 1001 when performing operations.

Preferably, an embodiment of the present invention further provides a server, including a second processor 1001, a second memory 1002, and a computer program that is stored in the second memory 1002 and is executable on the second processor 1001, where the computer program, when executed by the second processor 1001, implements each process of the server-side node access method embodiment, and can achieve the same technical effect, and in order to avoid repetition, details are not described here again.

Referring to fig. 11, a schematic diagram of a hardware structure of the second node according to the embodiment of the present invention is shown. As shown in fig. 11, the second node 1100 includes: a third processor 1101, a third memory 1102, a third user interface 1103 and a third bus interface 1104.

A third processor 1101 for reading the program in the third memory 1102 and executing the following processes:

generating a first access message based on the authority authentication code;

In FIG. 11, the bus architecture may include any number of interconnected buses and bridges, with one or more processors represented by the third processor 1101 and various circuits of memory represented by the third memory 1102 being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The third bus interface 1104 provides an interface. The third user interface 1103 may also be an interface capable of interfacing externally to a desired device for different user devices, including but not limited to a keypad, a display, a speaker, a microphone, a joystick, etc.

The third processor 1101 is responsible for managing a bus architecture and general processing, and the third memory 1102 may store data used by the third processor 1101 in performing operations.

Preferably, an embodiment of the present invention further provides a terminal device, which includes a third processor 1101, a third memory 1102, and a computer program that is stored in the third memory 1102 and is executable on the third processor 1101, and when the computer program is executed by the third processor 1101, the computer program implements each process of the second node-side node access method embodiment, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.

An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a first processor, the computer program implements each process of the first node-side node access method embodiment, or when the computer program is executed by a second processor, the computer program implements each process of the server-side node access method embodiment, or when the computer program is executed by a third processor, the computer program implements each process of the second node-side node access method embodiment, and can achieve the same technical effect, and in order to avoid repetition, the computer program is not described herein again. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the embodiments provided in the present application, it should be understood that the disclosed system and method may be implemented in other ways. For example, the above-described system embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.

The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims

1. A node access method, applied to a first node, the method comprising:

2. The method of claim 1, wherein obtaining the result of the authorization authentication for the second node comprises:

3. The method of claim 1, wherein obtaining the result of the authorization authentication for the second node comprises:

4. The method according to claim 2, wherein if the type of the authority authentication code is a fixed secret string; the verifying the operation authority of the second node based on the authority authentication code to obtain an authority authentication result includes:

5. The method of claim 2, wherein if the type of the authorization verification code is a dynamic response code; the verifying the operation authority of the second node based on the authority authentication code to obtain an authority authentication result includes:

6. The method according to claim 5, wherein before determining the preset operation right of which the type is corresponding to the dynamic response code as the target operation right possessed by the second node, the method further comprises:

determining whether the response time is within a preset time;

7. The method of claim 2, wherein if the type of the permission authentication code is null; the verifying the operation authority of the second node based on the authority authentication code to obtain an authority authentication result includes:

8. The method according to claim 2, wherein the first access message includes first signature information generated by the second node based on a private key corresponding to the correspondent certificate of the first node; before the obtaining of the authority authentication result for the second node, the method further includes:

9. The method of claim 8, wherein before the first signature information is de-signed based on a pre-obtained correspondent certificate set, the method further comprises:

10. The method according to claim 1, wherein the first access message is generated by the second node encrypting the authorization authentication code based on a first encryption public key of the first node acquired in advance; the obtaining of the authority authentication result for the second node includes:

11. The method of claim 1, wherein after the executing the operation instruction in the first access message matching the target operation right, the method further comprises:

12. A node access method is applied to a server, and the method comprises the following steps:

13. The method of claim 12, wherein obtaining the result of the authentication of the right for the second node comprises:

14. The method according to claim 12, wherein the first access message includes third signature information generated by the second node based on a private signature key of the second node; before the obtaining of the authority authentication result for the second node, the method further includes:

15. The method of claim 14, wherein prior to obtaining the association list of the first node, the method further comprises:

16. The method according to claim 12, wherein the second access message further includes fourth signature information generated by the server based on a private key corresponding to the correspondent certificate of the first node; after obtaining the authority authentication result for the second node, the method further includes:

17. A node access method, applied to a second node, the method comprising:

generating a first access message based on the authority authentication code;

18. The method of claim 17, wherein after sending the first access message to the first node, the method further comprises:

19. A node access apparatus, applied to a first node, the apparatus comprising:

20. A node access device applied to a server, the device comprising:

21. A node access apparatus, applied to a second node, the apparatus comprising:

22. A first node, characterized in that it comprises a first processor, a first memory, a computer program stored on said first memory and executable on said first processor, said computer program realizing the steps of the node access method according to any of claims 1 to 11 when executed by said first processor.

23. A server, characterized in that it comprises a second processor, a second memory, a computer program stored on said second memory and executable on said second processor, said computer program, when executed by said second processor, implementing the steps of the node access method according to any one of claims 12 to 16.

24. A second node, characterized by a third processor, a third memory, a computer program stored on the third memory and executable on the third processor, the computer program, when executed by the third processor, implementing the steps of the node access method according to any of claims 17 to 18.

25. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when executed by a first processor, carries out the steps of the node access method according to any one of claims 1 to 11, or when executed by a second processor, carries out the steps of the node access method according to any one of claims 12 to 16, or when executed by a third processor, carries out the steps of the node access method according to any one of claims 17 to 18.