CN114448725A - Equipment authentication method, system and storage medium - Google Patents

Equipment authentication method, system and storage medium Download PDF

Info

Publication number
CN114448725A
CN114448725A CN202210282040.4A CN202210282040A CN114448725A CN 114448725 A CN114448725 A CN 114448725A CN 202210282040 A CN202210282040 A CN 202210282040A CN 114448725 A CN114448725 A CN 114448725A
Authority
CN
China
Prior art keywords
digital identity
equipment
user
request message
internet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210282040.4A
Other languages
Chinese (zh)
Inventor
李瑞德
张楚
刘宇轩
王军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Esand Information Technology Co ltd
Original Assignee
Beijing Esand Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Esand Information Technology Co ltd filed Critical Beijing Esand Information Technology Co ltd
Priority to CN202210282040.4A priority Critical patent/CN114448725A/en
Publication of CN114448725A publication Critical patent/CN114448725A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Abstract

The embodiment of the invention discloses a device authentication method, a device authentication system and a storage medium. The method comprises the following steps: receiving a first user digital identity credential; acquiring a digital identity certificate of the equipment, and reporting an operation authentication request message of the equipment; the device operation authentication request message includes at least: a first user digital identity credential, a device digital identity credential; receiving an equipment operation authentication request message, and verifying the first user digital identity certificate and the equipment digital identity certificate to obtain an operation authority corresponding to the first user digital identity certificate; returning a device operation authentication response message, wherein the device operation authentication response message at least comprises: the operation authority; and controlling the equipment according to the operation authority. According to the embodiment of the invention, based on the traditional IAM/IDaaS of an enterprise, the IFAA password-free authentication middlebox is combined to construct the password-free digital identity service for all types of enterprises, so that the enterprise can conveniently and centrally manage all Internet of things equipment.

Description

Equipment authentication method, system and storage medium
[ technical field ] A method for producing a semiconductor device
The invention relates to the field of authentication methods, in particular to an equipment authentication method, an equipment authentication system and a storage medium.
[ background of the invention ]
In the traditional Internet of things equipment, each equipment has an independent management background, so that unified management on various equipment is difficult to establish in an enterprise background; the use and authority distribution of the equipment are carried out based on an internal organization system of an enterprise and employee accounts, and flexible and changeable service scenes brought by rapid development of enterprise services cannot be met. Because the intelligent equipment is various and has no unified standard, the various intelligent equipment is difficult to carry out the cooperative operation.
[ summary of the invention ]
In view of the above-mentioned drawbacks, the present invention provides a device authentication method, system and storage medium.
In one aspect, to achieve the above object, the present invention provides an apparatus authentication method, including:
receiving a first user digital identity credential;
acquiring a digital identity certificate of the equipment, and reporting an operation authentication request message of the equipment; the device operation authentication request message at least comprises: the first user digital identity credential, the device digital identity credential;
receiving the equipment operation authentication request message, and verifying the first user digital identity certificate and the equipment digital identity certificate to obtain an operation right corresponding to the first user digital identity certificate;
returning a device operation authentication response message, wherein the device operation authentication response message at least comprises: the operating right;
and controlling the equipment according to the operation authority.
Optionally, before receiving the first user digital identity credential, a device registration procedure is further included, where the device registration procedure includes the following steps:
acquiring equipment information, wherein the equipment information comprises: the device public key and the encrypted device information;
transmitting a device registration request message, the device registration request message comprising: the device information and the second user digital identity certificate;
receiving the device registration request message, and checking the second user digital identity certificate and the device information; after the verification is passed, generating a service key pair and a binding message facing the equipment corresponding to the equipment information; the service key pair includes: a service public key and a service private key; the binding packet includes: the service public key;
returning a device registration response message, wherein the device registration response message comprises: and the binding message.
Optionally, after the device registration, a device binding process is further included, where the device binding process includes the following steps:
receiving an internet of things device binding request message, wherein the internet of things device binding request message comprises: binding a message;
and carrying out validity verification on the Internet of things equipment binding request message according to a preset equipment public key, and storing a service public key carried in the Internet of things equipment binding request message after the validity verification is passed.
Optionally, the receiving the first user digital identity credential is implemented by:
scanning the two-dimensional code to obtain the first user digital identity certificate; or
Receiving the first user digital identity credential via wireless transmission.
Optionally, the device operation authentication request message further includes: equipment identification and operation type;
optionally, the verifying the first user digital identity credential and the device digital identity credential comprises:
acquiring equipment information according to the equipment identification;
verifying the equipment digital identity certificate and judging whether equipment corresponding to the equipment digital identity certificate is registered or not; if the equipment is registered and the equipment digital identity certificate exists locally, the verification is passed;
checking the first user digital identity certificate, and judging whether a user corresponding to the first user digital identity certificate is registered or not; if the user is registered and the first user digital identity credential exists locally, the verification passes;
and inquiring whether the first user digital identity certificate has the operation authority corresponding to the operation type.
In another aspect, the present invention further provides an apparatus authentication system, where the system includes a first user terminal, an apparatus terminal, and an apparatus authentication server, where:
the first user terminal is used for acquiring a first user digital identity certificate and sending the first user digital identity certificate to the equipment terminal;
the equipment terminal is used for reporting an equipment operation authentication request message; the device operation authentication request message includes at least: the first user digital identity credential, the device digital identity credential; the device is also used for controlling the device according to the operation authority;
the device authentication server is configured to receive the device operation authentication request message, verify the first user digital identity credential and the device digital identity credential, and obtain an operation right corresponding to the first user digital identity credential; and the device is further configured to return a device operation authentication response message, where the device operation authentication response message at least includes: the operation authority.
Optionally, the system further comprises: a second user terminal, wherein;
the second user terminal is configured to obtain device information, where the device information includes: the device public key and the encrypted device information; and further configured to send a device registration request message, the device registration request message including: the device information and the second user digital identity certificate;
the equipment authentication server is used for receiving the equipment registration request message and verifying the second user digital identity certificate and the equipment information; after the verification is passed, generating a service key pair and a binding message facing the equipment corresponding to the equipment information; the service key pair includes: a service public key and a service private key; the binding packet includes: the service private key; and returning a device registration reply message, the device registration reply message including: the binding message;
the second user terminal is further configured to receive the device registration response message, and send the binding packet to the device terminal;
and the equipment terminal verifies the binding message by using the equipment public key, and stores the service public key after the verification is passed.
Optionally, the device authentication server includes: an equipment management server, a digital identity server;
the equipment management server is used for managing the equipment terminal;
the digital identity server is used for the first user terminal and the second user terminal to manage and manage the digital identity credentials of the user.
In another aspect, the present invention also provides a computer-readable storage medium to store processor-executable instructions, which when executed are capable of causing a processor to implement a device authentication method as described above.
Compared with the prior art, the method and the system are based on the traditional IAM/IDaaS of the enterprise and combined with the IFAA password-free authentication center, construct the password-free digital identity service for all types of enterprises, and are convenient for the enterprise to centrally manage all Internet of things equipment.
[ description of the drawings ]
Fig. 1 is a flowchart illustrating an apparatus authentication method according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a device registration process according to an embodiment of the present invention;
fig. 3 is a detailed flowchart of device authentication according to an embodiment of the present invention;
FIG. 4 is a flow chart illustrating a process for verifying a digital identity certificate of a device according to an embodiment of the present invention;
fig. 5 is a detailed flowchart of device registration according to an embodiment of the present invention;
fig. 6 is a detailed flowchart of device binding according to an embodiment of the present invention;
FIG. 7 is a schematic structural diagram of an embodiment of a device authentication system according to the present invention;
FIG. 8 is a schematic structural diagram of an authentication server according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a hardware operating environment according to an embodiment of the present invention.
[ detailed description ] embodiments
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
A mobile terminal implementing various embodiments of the present invention will now be described with reference to the accompanying drawings. In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for facilitating the explanation of the present invention, and have no specific meaning in themselves. Thus, "module" and "component" may be used in a mixture.
It should be understood that the present application is applied to a device authentication system, please refer to fig. 5, fig. 5 is a schematic structural diagram of an embodiment of the device authentication system according to the embodiment of the present application, as shown in fig. 5, fig. 5 includes: a device authentication server 100, a first user terminal 200, a second user terminal 300, a device terminal 400;
the device authentication server 100 is configured to receive the device operation authentication request message, verify the first user digital identity credential and the device digital identity credential, and obtain an operation right corresponding to the first user digital identity credential; and returning a device operation authentication response message, wherein the device operation authentication response message at least comprises: the operation authority.
The device authentication server 100 is further configured to receive the device registration request message, and verify the second user digital identity credential and the device information; after the verification is passed, generating a service key pair and a binding message facing the equipment corresponding to the equipment information; the service key pair includes: a service public key and a service private key; the binding packet includes: the service private key; and returning a device registration reply message, the device registration reply message including: and the binding message.
The first user terminal 200 is configured to obtain a first user digital identity credential and send the first user digital identity credential to the device terminal.
The second user terminal 300 is configured to obtain device information, where the device information includes: the device public key and the encrypted device information; and further configured to send a device registration request message, the device registration request message including: the device information, the second user digital identity credential.
The second user terminal 300 is further configured to receive the device registration response message, and send the binding message to the device terminal.
The device terminal 400 is configured to report a device operation authentication request message; the device operation authentication request message includes at least: the first user digital identity credential, the device digital identity credential; and also for device control in accordance with the operating rights.
The device terminal 400 is further configured to verify the binding packet by using the device public key, and store the service public key after the verification is passed.
In one embodiment, as shown in fig. 1, the present invention provides a device authentication method, the method comprising:
step S101, receiving a first user digital identity certificate.
And (4) equipment users of the Internet of things, such as residents using intelligent access control districts. The resident needs to obtain the digital identity certificate before using the intelligent access control. A digital identity credential is a set of data that describes a person or thing, or the sum of all information available in a network about a person. It is an online identity, or network identity, that a person, organization, or electronic device employs in a network. The registration and acquisition of digital identity credentials belongs to the prior art scheme, and the invention is not described in detail.
Each user registers a digital identity authentication certificate in a digital identity server, and the digital identity server issues the digital identity authentication certificate to a terminal where the user is located, such as a smart phone. The registration and authentication of the digital identity authentication voucher can be realized by adopting a technical scheme corresponding to FAA trusted digital identity technical specification.
The user acquires the digital identity authentication certificate in an IFAA local password-free authentication mode, and if the user passes fingerprint authentication on the smart phone, the user acquires the corresponding digital identity authentication certificate, such as a digital identity authentication certificate A. Each digital identity authentication certificate corresponds to an identifier, and the identifier can be represented by a unique number. As shown in the following table:
digital identity authentication voucher Digital identity authentication credential identification
Digital identity authentication voucher A e10adc3949ba59abbe56e057f20f883e
Step S102, obtaining a digital identity certificate of the equipment, and reporting an operation authentication request message of the equipment; the device operation authentication request message includes at least: the first user digital identity credential, the device digital identity credential, a device identification, an operation type;
after the user acquires the digital identity voucher, the corresponding mode is selected according to the type of the Internet of things equipment needing to be operated, and the digital identity voucher identification acquired by the user is transmitted to the corresponding Internet of things equipment. If the internet of things equipment has the function of obtaining images (if the internet of things equipment is intelligent access control, a camera is installed), the user selects a two-dimensional code mode on the smart phone to transmit the digital identity certificate identification, and the APP of the digital identity certificate is converted into the two-dimensional code to be displayed on the screen of the mobile phone. The user makes the two-dimensional code close to a camera of the Internet of things equipment (such as intelligent access control), and the digital identity authentication identification of the user is acquired by the Internet of things equipment through the camera. If the identification of the digital identity authentication certificate A is obtained: e10adc3949ba59abbe56e057f20f883 e.
If the Internet of things equipment does not have the image acquiring function, the user establishes wireless connection with the Internet of things equipment by using one of wireless communication modes such as Bluetooth, wifi and nfc of the smart phone, if the user establishes Bluetooth connection with the smart door lock by using the smart phone Bluetooth, the digital identity authentication voucher is identified and sent to the smart door lock through the Bluetooth connection.
And after the Internet of things equipment receives the user digital identity certificate identification sent by the user, acquiring the digital identity authentication certificate of the Internet of things equipment. The obtained digital identity authentication credentials are shown in the following table:
digital identity authentication voucher Digital identity authentication credential identification
Digital identity authentication voucher B 14e1b600b1fd579f47433b88e8d85291
After the internet of things equipment (such as intelligent access control) acquires the digital identity voucher of the internet of things equipment and the digital identity voucher of the user, equipment operation authentication request information is sent to an equipment authentication server, and the digital identity voucher of the internet of things equipment and the digital identity voucher of the user are carried. The device operation authentication request message is shown in the following table:
Figure BDA0003558141520000071
and the operation types correspond to different operation types according to different Internet of things equipment. If intelligent entrance guard, there are operation types such as opening the door. The specific operation type is defined according to the type of the equipment of the Internet of things, and the technical scheme is limited.
Step S103, receiving the device operation authentication request message, verifying the first user digital identity certificate and the device digital identity certificate, and obtaining an operation authority corresponding to the first user digital identity certificate.
The device authentication server includes: equipment management server, digital identity server. The equipment management server is used for equipment terminal management; the digital identity server is used for user terminal management and managing the digital identity voucher of the user.
Further, the device management server may include an IOT server and an internet of things device management console. The IOT server is responsible for managing the network connection of the Internet of things equipment, namely for the access management of the Internet of things; the Internet of things equipment management center is responsible for double authentication of Internet of things equipment and visitors (namely users). The Internet of things equipment management center station configures corresponding operation permissions for each registered user, such as permission of door opening allocated by a visitor and permission of equipment management allocated by an administrator (permission of equipment addition, equipment modification, equipment deletion and the like). The operation authority is associated with the user digital identity certificate, as shown in the following table:
type of user Digital identity authentication credential identification Operating rights
Visitor e10adc3949ba59abbe56e057f20f883e Door opening
Household 14e1b600b1fd579f47433b88e8d85291 Door opening
Administrator bac78819cc67469e9e4de50c677990e9 Door opening, equipment management
The operation authority is specifically assigned, and the technical scheme is not limited. The internet of things device management console performs a dual authentication process on the internet of things device and the visitor (i.e., the user), which is shown in the flow of fig. 4.
And S401, acquiring equipment information according to the equipment identification.
And after receiving the equipment operation authentication request message sent by the equipment of the Internet of things (such as intelligent access control), the IOT server side forwards the message to an equipment management central office of the Internet of things. The Internet of things equipment management center desk firstly checks the Internet of things equipment, and if the Internet of things equipment is provided with an identity authentication certificate, the Internet of things equipment is checked. And inquiring corresponding Internet of things equipment information according to the identity authentication voucher identification of the Internet of things equipment. And judging whether the Internet of things equipment is legal equipment, if so, inquiring a local database through the digital identity authentication voucher identification, and judging whether the Internet of things equipment belongs to the Internet of things equipment managed by the Internet of things equipment management center. If the equipment is not the equipment managed by the Internet of things equipment management console, rejecting the equipment operation authentication request; and if the equipment is the equipment managed by the central station in the equipment management of the Internet of things, forwarding the digital identity certificate of the equipment of the Internet of things and the digital identity certificate of the user to the digital identity server. The query results are shown in the following table:
digital identity authentication credential identification Type of internet of things device Internet of things equipment identifier
14e1b600b1fd579f47433b88e8d85291 Intelligent entrance guard Intelligent access control A
Step S402, checking the equipment digital identity certificate, and judging whether equipment corresponding to the equipment digital identity certificate is registered; if the device is registered and the device digital identity credential exists locally, the verification passes.
Step S403, checking the first user digital identity certificate, and judging whether the user corresponding to the first user digital identity certificate is registered; if the user is registered and the first user digital identity credential exists locally, the check passes.
After receiving the digital identity certificate of the Internet of things equipment and the digital identity certificate of the user, the digital identity server respectively verifies the digital identity certificate of the Internet of things equipment and the digital identity certificate of the user, judges whether the digital identity certificate of the Internet of things equipment and the digital identity certificate of the user are registered in the digital identity server, and then returns a digital identity certificate verification result to the Internet of things equipment management center.
Step S404, inquiring whether the first user digital identity certificate has the operation authority corresponding to the operation type.
After the Internet of things equipment management center receives the digital identity certificate verification result, if the digital identity certificate verification fails, the equipment operation authentication request is refused; if the digital identity certificate is successfully verified, the information of the user, such as the user type, is obtained according to the digital identity certificate of the user. And the Internet of things equipment management center station acquires the operation permission allowed by the user on the corresponding Internet of things equipment according to the information of the user. If the user type is the visitor, the door opening operation is allowed to be carried out on the intelligent door control machine. And the Internet of things equipment management center console produces a corresponding control command according to the allowed operation authority, namely the operation authority of the user on the corresponding Internet of things equipment. And then returning a device operation authentication response message to the IOT service end, and forwarding the response message to the Internet of things device (such as intelligent access control device) by the IOT service section. And if the Internet of things equipment management center desk judges that the user does not have the operation authority corresponding to the operation type, returning the operation authority allowed by the user.
Step S104, returning a device operation authentication response message, wherein the device operation authentication response message at least comprises: the operation authority.
And S105, controlling the equipment according to the operation authority.
And after receiving the equipment operation authentication response message returned by the IOT server, the equipment of the Internet of things controls according to the operation authority (namely the corresponding control command) carried in the message. And if the control command received by the intelligent access control equipment is to open the door, opening the door of the corresponding door. If the operation authority is multiple, multiple allowed operation authorities can be displayed in the Internet of things equipment, and one allowed operation authority is selected by the user to be executed.
The process of the user using the internet of things device according to the digital identity certificate can refer to the process shown in fig. 3.
According to the embodiment of the invention, a user operates the Internet of things equipment through the digital identity certificate, and based on the traditional IAM/IDaaS of an enterprise, the IFAA password-free authentication center platform is combined to construct the password-free digital identity service for all types of enterprises, so that the enterprise can conveniently and centrally manage all Internet of things equipment.
In addition, another device authentication method is further provided in an embodiment of the present invention, and referring to fig. 2, the method registers for the internet of things device, and includes the following steps:
step S201, acquiring device information, where the device information includes: the device public key and the encrypted device information.
The internet of things equipment needs to complete intelligent equipment authentication under human supervision, and if the internet of things equipment needs to be registered by an equipment administrator or an equipment user, the internet of things equipment can be used. After an internet of things device user (short for device administrator) acquires a digital identity certificate of the user through a mobile phone APP, the mobile phone APP is used for scanning a two-dimensional code corresponding to a device identification of an internet of things device (such as an intelligent door lock). Every thing networking device all has an only sign, and if intelligent lock A's only sign is: S-001-12589-AB-005. The specific unique identifier is set by each internet of things equipment manufacturer, and the technical scheme is not limited. And the digital identity voucher of the equipment of the Internet of things is acquired from the digital identity server by an administrator and then is sent to the equipment of the Internet of things. Before the IOT equipment is registered, an administrator can distribute a digital identity certificate for each IOT equipment through the digital identity server.
The method comprises the following steps that an administrator of the Internet of things equipment scans a unique identification two-dimensional code of the Internet of things equipment through a mobile phone APP, or the administrator manually inputs a unique identification of the Internet of things equipment in the mobile phone APP. And then establishing wireless connection, such as wireless connection of Bluetooth, wifi, zigbee and the like, according to the unique identifier and the corresponding Internet of things equipment. The mobile phone APP obtains a preset device public key and encrypted device information in the Internet of things device through wireless connection.
Step S202, sending a device registration request message, wherein the device registration request message comprises: the device information, the second user digital identity credential.
After the mobile phone APP obtains the unique identification of the Internet of things equipment, an Internet of things equipment registration request message is constructed, and Internet of things equipment information and a digital identity certificate of an equipment administrator are carried. The device information includes a device unique identification, a device type, and the like. Registration request message, as shown in the following table:
Figure BDA0003558141520000101
step S203, receiving the equipment registration request message, and verifying the second user digital identity certificate and the equipment information; after the verification is passed, generating a service secret key pair and a binding message facing the equipment corresponding to the equipment information; the service key pair includes: a service public key and a service private key; the binding message includes: the service public key.
The device administrator APP sends a device registration request message to the Internet of things device management center, and the Internet of things device management center acquires a device administrator digital identity certificate carried in the device registration request message and checks the device administrator digital identity certificate in the digital identity server.
And the digital identity server verifies the authenticity of the digital identity certificate according to the digital identity certificate of the equipment administrator, and returns a verification result to the Internet of things equipment management central station.
The Internet of things equipment management center performs processing according to the data identity certificate verification result, and if the verification is failed, the equipment registration request is rejected; and if the verification is passed, judging whether the equipment administrator has the authority of registering the equipment of the Internet of things. Only users with the authority to register the internet of things device can initiate device registration. And the Internet of things equipment management center judges that the equipment administrator can register the Internet of things equipment, then inspects a service key pair for the Internet of things equipment (such as an intelligent door lock A), and issues a binding message. The service key pair includes: the service public key and the service private key are used for binding the message, and the binding message comprises the following steps: the public key of the service.
Step S204, returning an equipment registration response message, wherein the equipment registration response message comprises: and the binding message.
After the Internet of things equipment management center platform finishes the registration of the Internet of things equipment, an equipment registration response message is returned to the APP of an equipment administrator. The device registration response message carries a binding message, and the binding comprises: the service public key.
Step S205, receiving an Internet of things equipment binding request message, wherein the Internet of things equipment binding request message comprises: the public key of the service.
After receiving an equipment registration response message returned by the Internet of things equipment management center, the equipment manager APP sends an Internet of things equipment binding request message to the Internet of things equipment (such as an intelligent door lock) through wireless connection between the smart phone and the Internet of things equipment.
The method comprises the following steps that the Internet of things equipment receives Internet of things equipment binding request information, wherein the Internet of things equipment binding request information comprises the following steps: the public key of the service.
Step S206, carrying out legality verification on the Internet of things equipment binding request message according to a preset equipment public key, and storing the service public key carried in the Internet of things equipment binding request message after the legality verification is passed.
The Internet of things equipment management center station encrypts the binding message and then sends the encrypted binding message to an APP of an equipment manager. And the APP forwards the encrypted binding message to the Internet of things equipment. The internet of things device decrypts the encrypted binding message by using a locally preset device public key, and after the decryption is successful, the internet of things device binding request message is indicated to be valid, namely, the validity is verified. And the Internet of things equipment stores the decrypted service public key in the binding message to the local for interaction between the subsequent Internet of things equipment and the equipment authentication server. And the Internet of things equipment carries out reliability verification on the control instruction returned by the Internet of things equipment management center according to the service public key, and if the verification fails by using the service public key, the control instruction is discarded. Meanwhile, when the internet of things device reports data to the internet of things device management center, the service public key is required to be used for encryption.
For a detailed process of registering the internet of things device, reference may be made to the process shown in fig. 5. The internet of things device binding process may refer to the process shown in fig. 6.
After the internet of things equipment is registered and bound, an account is opened in the equipment authentication server, and the opened internet of things equipment can be used. After the internet of things equipment opens an account, a digital identity certificate of the internet of things equipment needs to be acquired from the digital identity server. The method for acquiring the digital identity certificate belongs to the prior art, and the technical scheme is not described in detail. And after the Internet of things equipment acquires the digital identity certificate, the digital identity certificate is stored locally.
According to the embodiment of the invention, the identity information of the registrant is confirmed by verifying the digital identity certificate of the equipment registrant, so that the reliability of the equipment of the Internet of things is enhanced.
In addition, an embodiment of the present invention further provides an apparatus authentication system, and referring to fig. 7, the apparatus authentication system includes: a device authentication server 100, a first user terminal 200, a second user terminal 300, a device terminal 400.
The device authentication server 100 is configured to receive the device operation authentication request message, verify the first user digital identity credential and the device digital identity credential, and obtain an operation right corresponding to the first user digital identity credential; and returning a device operation authentication response message, wherein the device operation authentication response message at least comprises: the operation authority.
The device authentication server 100 is further configured to receive the device registration request message, and verify the second user digital identity credential and the device information; after the verification is passed, generating a service key pair and a binding message facing the equipment corresponding to the equipment information; the service key pair includes: a service public key and a service private key; the binding packet includes: the service private key; and is further configured to return a device registration reply message, the device registration reply message including: the binding message;
a first user terminal 200, configured to obtain a first user digital identity credential and send the first user digital identity credential to the device terminal;
the second user terminal 300 is configured to obtain device information, where the device information includes: the device public key and the encrypted device information; and further configured to send a device registration request message, the device registration request message including: the device information and the second user digital identity certificate;
the second user terminal 300 is further configured to receive the device registration response message, and send the binding message to the device terminal;
the device terminal 400 is configured to report a device operation authentication request message; the device operation authentication request message includes at least: the first user digital identity credential, the device digital identity credential; the device is also used for controlling the device according to the operation authority;
the device terminal 400 is further configured to verify the binding packet by using the device public key, and store the service public key after the verification is passed.
According to the embodiment of the invention, a user operates the Internet of things equipment through the digital identity certificate, and based on the traditional IAM/IDaaS of an enterprise, the IFAA password-free authentication center platform is combined to construct the password-free digital identity service for all types of enterprises, so that the enterprise can conveniently and centrally manage all Internet of things equipment.
In addition, an embodiment of the present invention further provides an apparatus authentication server, and referring to fig. 8, the apparatus authentication server 100 includes: a device management server 101, a digital identity server 102.
An equipment management server 101 for managing the equipment terminal;
and the digital identity server 102 is used for the first user terminal and the second user terminal to manage and manage the digital identity credentials of the user.
According to the embodiment of the invention, a user operates the Internet of things equipment through the digital identity certificate, and based on the traditional IAM/IDaaS of an enterprise, the IFAA password-free authentication center platform is combined to construct the password-free digital identity service for all types of enterprises, so that the enterprise can conveniently and centrally manage all Internet of things equipment.
Referring to fig. 9, fig. 9 is a schematic structural diagram of a hardware operating environment of the device authentication server 100, the first user terminal 200, the second user terminal 300, and the device terminal 400 according to the embodiment of the present invention.
As shown in fig. 9, the hardware execution environment may include: a processor 1001, such as a CPU, a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include standard wired interfaces, wireless interfaces (e.g., WI-FI, 4G, 5G interfaces). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in fig. 9 does not constitute a limitation of the device authentication server 100, the first user terminal 200, the second user terminal 300, the device terminal 400, and may include more or fewer components than those shown, or combine certain components, or a different arrangement of components.
As shown in fig. 9, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and an accompanying program based on the unmanned aerial device.
In the hardware operating environment shown in FIG. 9, the network interface 1004 is primarily used for data communication with external networks; the user interface 1003 is mainly used for receiving input instructions of a user; the hardware execution environment calls the device authentication program stored in the memory 1005 by the processor 1001, and performs the following operations:
receiving a first user digital identity credential;
acquiring a digital identity certificate of the equipment, and reporting an operation authentication request message of the equipment; the device operation authentication request message at least comprises: the first user digital identity credential, the device digital identity credential;
receiving the equipment operation authentication request message, and verifying the first user digital identity certificate and the equipment digital identity certificate to obtain an operation right corresponding to the first user digital identity certificate;
returning a device operation authentication response message, wherein the device operation authentication response message at least comprises: the operating right;
and controlling the equipment according to the operation authority.
Optionally, before receiving the first user digital identity credential, a device registration procedure is further included, where the device registration procedure includes the following steps:
acquiring equipment information, wherein the equipment information comprises: the device public key and the encrypted device information;
transmitting a device registration request message, the device registration request message comprising: the device information and the second user digital identity certificate;
receiving the device registration request message, and checking the second user digital identity certificate and the device information; after the verification is passed, generating a service key pair and a binding message facing the equipment corresponding to the equipment information; the service key pair includes: a service public key and a service private key; the binding packet includes: the service public key;
returning a device registration response message, wherein the device registration response message comprises: and the binding message.
Optionally, after the device registration, a device binding process is further included, where the device binding process includes the following steps:
receiving an internet of things device binding request message, wherein the internet of things device binding request message comprises: binding a message;
and carrying out validity verification on the Internet of things equipment binding request message according to a preset equipment public key, and storing a service public key carried in the Internet of things equipment binding request message after the validity verification is passed.
Optionally, the receiving the first user digital identity credential is implemented by:
scanning the two-dimensional code to obtain the first user digital identity certificate; or
Receiving the first user digital identity credential via wireless transmission.
Optionally, the device operation authentication request message further includes: equipment identification and operation type;
optionally, the verifying the first user digital identity credential and the device digital identity credential comprises:
acquiring equipment information according to the equipment identification;
verifying the equipment digital identity certificate and judging whether equipment corresponding to the equipment digital identity certificate is registered or not; if the equipment is registered and the equipment digital identity certificate exists locally, the verification is passed;
checking the first user digital identity certificate, and judging whether a user corresponding to the first user digital identity certificate is registered or not; if the user is registered and the first user digital identity credential exists locally, the verification passes;
and inquiring whether the first user digital identity certificate has the operation authority corresponding to the operation type.
According to the embodiment of the invention, a user operates the Internet of things equipment through the digital identity certificate, and based on the traditional IAM/IDaaS of an enterprise, the IFAA password-free authentication center platform is combined to construct the password-free digital identity service for all types of enterprises, so that the enterprise can conveniently and centrally manage all Internet of things equipment.
Furthermore, an embodiment of the present invention further provides a computer-readable storage medium, where an apparatus authentication program is stored on the computer-readable storage medium, and when executed by a processor, the apparatus authentication program implements the following operations:
receiving a first user digital identity credential;
acquiring a digital identity certificate of the equipment, and reporting an operation authentication request message of the equipment; the device operation authentication request message at least comprises: the first user digital identity credential, the device digital identity credential;
receiving the equipment operation authentication request message, and verifying the first user digital identity certificate and the equipment digital identity certificate to obtain an operation right corresponding to the first user digital identity certificate;
returning a device operation authentication response message, wherein the device operation authentication response message at least comprises: the operating right;
and controlling the equipment according to the operation authority.
Optionally, before receiving the first user digital identity credential, a device registration procedure is further included, where the device registration procedure includes the following steps:
acquiring equipment information, wherein the equipment information comprises: the device public key and the encrypted device information;
transmitting a device registration request message, the device registration request message comprising: the device information and the second user digital identity certificate;
receiving the device registration request message, and checking the second user digital identity certificate and the device information; after the verification is passed, generating a service key pair and a binding message facing the equipment corresponding to the equipment information; the service key pair includes: a service public key and a service private key; the binding packet includes: the service public key;
returning a device registration response message, wherein the device registration response message comprises: and the binding message.
Optionally, after the device registration, a device binding process is further included, where the device binding process includes the following steps:
receiving an internet of things device binding request message, wherein the internet of things device binding request message comprises: binding a message;
and carrying out validity verification on the equipment binding request message of the Internet of things according to a preset equipment public key, and storing the service public key carried in the equipment binding request message of the Internet of things after the validity verification is passed.
Optionally, the receiving the first user digital identity credential is implemented by:
scanning the two-dimensional code to obtain the first user digital identity certificate; or
Receiving the first user digital identity credential via wireless transmission.
Optionally, the device operation authentication request message further includes: equipment identification and operation type;
optionally, the verifying the first user digital identity credential and the device digital identity credential comprises:
acquiring equipment information according to the equipment identification;
verifying the equipment digital identity certificate and judging whether equipment corresponding to the equipment digital identity certificate is registered or not; if the equipment is registered and the equipment digital identity certificate exists locally, the verification is passed;
checking the first user digital identity certificate, and judging whether a user corresponding to the first user digital identity certificate is registered or not; if the user is registered and the first user digital identity credential exists locally, the verification passes;
and inquiring whether the first user digital identity certificate has the operation authority corresponding to the operation type.
According to the embodiment of the invention, a user operates the Internet of things equipment through the digital identity certificate, and based on the traditional IAM/IDaaS of an enterprise, the IFAA password-free authentication center platform is combined to construct the password-free digital identity service for all types of enterprises, so that the enterprise can conveniently and centrally manage all Internet of things equipment.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, a controller, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by the contents of the present specification and drawings, or used directly or indirectly in other related fields, are included in the scope of the present invention.

Claims (10)

1. A method of device authentication, the method comprising the steps of:
receiving a first user digital identity credential;
acquiring a digital identity certificate of the equipment, and reporting an operation authentication request message of the equipment; the device operation authentication request message includes at least: the first user digital identity credential, the device digital identity credential;
receiving the equipment operation authentication request message, and verifying the first user digital identity certificate and the equipment digital identity certificate to obtain an operation authority corresponding to the first user digital identity certificate;
returning a device operation authentication response message, wherein the device operation authentication response message at least comprises: the operation authority;
and controlling the equipment according to the operation authority.
2. The method of claim 1, wherein prior to receiving the first user digital identity credential, further comprising a device registration procedure, the device registration procedure comprising the steps of:
acquiring equipment information, wherein the equipment information comprises: the device public key and the encrypted device information;
transmitting a device registration request message, the device registration request message comprising: the device information and the second user digital identity certificate;
receiving the device registration request message, and checking the second user digital identity certificate and the device information; after the verification is passed, generating a service key pair and a binding message facing the equipment corresponding to the equipment information; the service key pair includes: a service public key and a service private key; the binding message comprises: the service public key;
returning a device registration response message, wherein the device registration response message comprises: and the binding message.
3. The method of claim 2, further comprising a device binding procedure after the device registration, wherein the device binding procedure comprises the following steps:
receiving an internet of things device binding request message, wherein the internet of things device binding request message comprises: binding the message;
and carrying out validity verification on the Internet of things equipment binding request message according to a preset equipment public key, and storing a service public key carried in the Internet of things equipment binding request message after the validity verification is passed.
4. The method of claim 1, wherein receiving the first user digital identity credential is accomplished by:
scanning the two-dimensional code to obtain the first user digital identity certificate; or
Receiving the first user digital identity credential via wireless transmission.
5. The method of claim 1, wherein the device operation authentication request message further comprises: device identification, operation type.
6. The method of claim 5, wherein verifying the first user digital identity credential and the device digital identity credential comprises:
acquiring equipment information according to the equipment identification;
verifying the equipment digital identity certificate and judging whether equipment corresponding to the equipment digital identity certificate is registered or not; if the equipment is registered and the equipment digital identity certificate exists locally, the verification is passed;
checking the first user digital identity certificate, and judging whether a user corresponding to the first user digital identity certificate is registered or not; if the user is registered and the first user digital identity credential exists locally, the verification passes;
and inquiring whether the first user digital identity certificate has the operation authority corresponding to the operation type.
7. An apparatus authentication system, comprising a first user terminal, an apparatus terminal, and an apparatus authentication server, wherein:
the first user terminal is used for acquiring a first user digital identity certificate and sending the first user digital identity certificate to the equipment terminal;
the equipment terminal is used for reporting an equipment operation authentication request message; the device operation authentication request message includes at least: the first user digital identity credential, the device digital identity credential; the device is also used for controlling the device according to the operation authority;
the device authentication server is configured to receive the device operation authentication request message, verify the first user digital identity credential and the device digital identity credential, and obtain an operation right corresponding to the first user digital identity credential; and returning a device operation authentication response message, wherein the device operation authentication response message at least comprises: the operation authority.
8. The system of claim 7, further comprising: a second user terminal, wherein;
the second user terminal is configured to obtain device information, where the device information includes: the device public key and the encrypted device information; and further configured to send a device registration request message, the device registration request message including: the device information and the second user digital identity certificate;
the device authentication server is used for receiving the device registration request message and verifying the second user digital identity certificate and the device information; after the verification is passed, generating a service key pair and a binding message facing the equipment corresponding to the equipment information; the service key pair includes: a service public key and a service private key; the binding packet includes: the service private key; and returning a device registration reply message, the device registration reply message including: the binding message;
the second user terminal is further configured to receive the device registration response message, and send the binding packet to the device terminal;
and the equipment terminal verifies the binding message by using the equipment public key, and stores the service public key after the verification is passed.
9. The system of claim 7, wherein the device authentication server comprises: an equipment management server, a digital identity server;
the equipment management server is used for managing the equipment terminal;
the digital identity server is used for the first user terminal and the second user terminal to manage and manage the digital identity credentials of the user.
10. A computer-readable storage medium to store processor-executable instructions, the processor-executable instructions stored in the computer-readable storage medium capable, when executed, of causing a processor to implement the device authentication method of any one of claims 1-6.
CN202210282040.4A 2022-03-22 2022-03-22 Equipment authentication method, system and storage medium Pending CN114448725A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210282040.4A CN114448725A (en) 2022-03-22 2022-03-22 Equipment authentication method, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210282040.4A CN114448725A (en) 2022-03-22 2022-03-22 Equipment authentication method, system and storage medium

Publications (1)

Publication Number Publication Date
CN114448725A true CN114448725A (en) 2022-05-06

Family

ID=81359792

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210282040.4A Pending CN114448725A (en) 2022-03-22 2022-03-22 Equipment authentication method, system and storage medium

Country Status (1)

Country Link
CN (1) CN114448725A (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107294900A (en) * 2016-03-30 2017-10-24 阿里巴巴集团控股有限公司 Identity registration method and apparatus based on biological characteristic
CN107888603A (en) * 2017-11-23 2018-04-06 国民认证科技(北京)有限公司 A kind of registration of Internet of Things smart machine, authentication method and Internet of Things
WO2018098950A1 (en) * 2016-12-02 2018-06-07 华为技术有限公司 Method and device of using local authorization certificate in terminal
CN108696479A (en) * 2017-04-07 2018-10-23 中兴通讯股份有限公司 A kind of Internet of Things Verification System and Internet of Things authentication method
CN109300208A (en) * 2018-09-03 2019-02-01 李扬渊 Method for unlocking, unlocking apparatus, lock system, lock device and storage medium
CN109934976A (en) * 2019-02-01 2019-06-25 Oppo广东移动通信有限公司 Access control management method, device, system, electronic equipment and storage medium
CN112953970A (en) * 2021-04-01 2021-06-11 国民认证科技(北京)有限公司 Identity authentication method and identity authentication system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107294900A (en) * 2016-03-30 2017-10-24 阿里巴巴集团控股有限公司 Identity registration method and apparatus based on biological characteristic
WO2018098950A1 (en) * 2016-12-02 2018-06-07 华为技术有限公司 Method and device of using local authorization certificate in terminal
CN108696479A (en) * 2017-04-07 2018-10-23 中兴通讯股份有限公司 A kind of Internet of Things Verification System and Internet of Things authentication method
CN107888603A (en) * 2017-11-23 2018-04-06 国民认证科技(北京)有限公司 A kind of registration of Internet of Things smart machine, authentication method and Internet of Things
CN109300208A (en) * 2018-09-03 2019-02-01 李扬渊 Method for unlocking, unlocking apparatus, lock system, lock device and storage medium
CN109934976A (en) * 2019-02-01 2019-06-25 Oppo广东移动通信有限公司 Access control management method, device, system, electronic equipment and storage medium
CN112953970A (en) * 2021-04-01 2021-06-11 国民认证科技(北京)有限公司 Identity authentication method and identity authentication system

Similar Documents

Publication Publication Date Title
CN108200050B (en) Single sign-on server, method and computer readable storage medium
US9025769B2 (en) Method of registering smart phone when accessing security authentication device and method of granting access permission to registered smart phone
CN110958118B (en) Certificate authentication management method, device, equipment and computer readable storage medium
CN105516103B (en) Method, device and system for binding intelligent household electrical appliance
US9197639B2 (en) Method for sharing data of device in M2M communication and system therefor
CN101409592B (en) Method, system and apparatus for implementing multi-application business based on condition receiving card
CN111352740B (en) Application interaction processing method and device
DK2924944T3 (en) Presence authentication
CN107113613B (en) Server, mobile terminal, network real-name authentication system and method
CN110995710B (en) Smart home authentication method based on eUICC
WO2017054617A1 (en) Wifi network authentication method, device and system
CN102457507A (en) Secure sharing method, device and system for cloud computing resources
CN101321064A (en) Information system access control method and apparatus based on digital certificate technique
CN102111766A (en) Network accessing method, device and system
CN104424676A (en) Identity information sending method, identity information sending device, access control card reader and access control system
CN105191208B (en) Method for activating the application program on user apparatus
CN103329091A (en) Cross access login controller
CN111742531A (en) Profile information sharing
CN102143492B (en) Method for establishing virtual private network (VPN) connection, mobile terminal and server
CN111600900B (en) Single sign-on method, server and system based on block chain
US10182059B2 (en) Non-transitory computer readable medium storing a program causing a computer to permit a guest user to have utilization authority using a directory, and apparatus management system permitting a guest user to have utilization authority using a directory
CN104247485A (en) Network application function authorisation in a generic bootstrapping architecture
RU2004123581A (en) MOVING ESSENTIALS WITH ACCOUNTS THROUGH SECURITY BORDERS WITHOUT INTERRUPTING SERVICE
CN113037736B (en) Authentication method, device, system and computer storage medium
JP2004021686A (en) Verification processing system, verification processor, program, and verification processing method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination