CN115001667A - Key agreement method, system, electronic device and computer readable storage medium - Google Patents

Key agreement method, system, electronic device and computer readable storage medium Download PDF

Info

Publication number
CN115001667A
CN115001667A CN202111538419.9A CN202111538419A CN115001667A CN 115001667 A CN115001667 A CN 115001667A CN 202111538419 A CN202111538419 A CN 202111538419A CN 115001667 A CN115001667 A CN 115001667A
Authority
CN
China
Prior art keywords
authentication code
electronic device
iot
equipment
iot device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111538419.9A
Other languages
Chinese (zh)
Other versions
CN115001667B (en
Inventor
李龙
梁冲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Honor Device Co Ltd
Original Assignee
Honor Device Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Honor Device Co Ltd filed Critical Honor Device Co Ltd
Priority to CN202111538419.9A priority Critical patent/CN115001667B/en
Publication of CN115001667A publication Critical patent/CN115001667A/en
Application granted granted Critical
Publication of CN115001667B publication Critical patent/CN115001667B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The embodiment of the application relates to the field of Internet of things, and provides a key agreement method, a key agreement system, electronic equipment and a computer-readable storage medium. The key agreement method is executed by a first electronic device, the first electronic device is applied to a system comprising a server and an IoT device, and the first electronic device has control authority over the IoT device. The method comprises the following steps: sending a first authentication code request message to a server; the first authentication code request message is used for requesting to provide a device authentication code of the IoT device to the first electronic device; the equipment authentication code is generated for the IoT equipment and is sent to the server; receiving an equipment authentication code sent by a server; performing key agreement with the IoT equipment according to the equipment authentication code to generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device. The method provided by the embodiment of the application can improve the security of data transmission between the first electronic device and the IoT device.

Description

Key agreement method, system, electronic device and computer readable storage medium
Technical Field
The present application relates to the field of internet of things technology, and in particular, to a key agreement method, system, electronic device, and computer-readable storage medium.
Background
With the rapid development of internet of things (IoT) technology, IoT devices are more and more widely applied in people's lives. Typically, the IoT devices are controlled by a control terminal. Specifically, the control terminal may communicate with the IoT device through the cloud server, the control terminal sends a control instruction to the cloud server, the cloud server forwards the control instruction to the IoT device, and the IoT device receives and executes the control instruction.
In order to ensure the security of communication, encryption is required in the transmission process of the control instruction. In the related art, the encryption and transmission processes of the control command are as follows: and the control terminal encrypts the plaintext control instruction based on an encryption protocol A between the control terminal and the cloud server to generate a ciphertext control instruction a. And the control terminal uploads the ciphertext control instruction a to the cloud server. And the cloud server decrypts the ciphertext control instruction a based on the encryption protocol A to generate a plaintext control instruction. And then, the cloud service encrypts the plaintext control instruction based on an encryption protocol B with the IoT equipment to generate a ciphertext control instruction B. And the cloud server sends the ciphertext control instruction B to the IoT equipment, and the IoT equipment decrypts the ciphertext control instruction B based on the encryption protocol B to obtain a plaintext control instruction.
However, the transmission process of the control command has a problem of poor safety.
Disclosure of Invention
The application provides a key agreement method, a key agreement system, an electronic device and a computer-readable storage medium, which can improve the security of a data transmission process between the electronic device and an IoT device.
In a first aspect, the present application provides a key agreement method, which is performed by a first electronic device, the first electronic device being applied to a system including a server and an IoT device, the first electronic device having a control authority over the IoT device, the method including:
sending a first authentication code request message to a server; the first authentication code request message is used for requesting to provide the equipment authentication code of the IoT equipment to the first electronic equipment; the equipment authentication code is generated for the IoT equipment and is sent to the server; receiving an equipment authentication code sent by a server; performing key agreement with the IoT equipment according to the equipment authentication code to generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device.
Optionally, in a possible implementation manner, the first electronic device may be an electronic device (such as the first control terminal in the specific embodiment) that the sharer logs in. The first electronic device may install a first Application (APP). A second account (corresponding to APP account 1 in the specific embodiment) may be registered in the first APP of the first electronic device. The first electronic device may interact with the server and the IoT device through the first APP. Optionally, the first authentication code request message may carry information such as the APP account 1 and the device account of the IoT device.
Optionally, in another possible implementation manner, the first electronic device may also be an electronic device (such as the second control terminal in the specific embodiment) that the shared person logs in.
The device authentication code is used for key agreement. Optionally, the device authentication code may be generated by the IoT device during the device authentication process.
In the key agreement method provided by the first aspect, the first electronic device requests the server for the device authentication code of the IoT device, the device authentication code is generated by the IoT device, and the IoT device also holds the device authentication code, so that the first electronic device can perform key agreement with the device authentication code of the IoT device, and generate the first session key that can only be known to each other, thereby implementing end-to-end encryption of the first electronic device and the IoT device, making a third party unable to analyze data (e.g., a control instruction) transmitted between the first electronic device and the IoT device, improving security of data transmission between the first electronic device and the IoT device, and improving user experience. On the other hand, in the implementation mode, the IoT device generates the device authentication code, sends the device authentication code to the server, and the server stores the device authentication code. When the first electronic device needs to transmit data with the IoT device, the first electronic device acquires the device authentication code from the server. Meanwhile, the IoT device is generated by the IoT device, which also holds the device authentication code. In the above process, the first electronic device and the IoT device do not need to participate in the process of acquiring the device authentication code, so that the user can realize non-perception encryption, and the user experience is further improved.
In one possible implementation, performing key agreement with an IoT device according to a device authentication code to generate a first session key includes:
and performing key agreement with the IoT device based on a password-authenticated key exchange (PAKE) protocol according to the device authentication code to generate a first session key.
In one possible implementation, the IoT device is bound to the first electronic device, the system further includes a second electronic device, and the method further includes:
sending a sharing application message to a server, wherein the sharing application message is used for requesting to share the control authority of the IoT equipment to the second electronic equipment, and the sharing application message comprises equipment information and an equipment authentication code of the IoT equipment; the device authentication code is also used for the second electronic device to perform key agreement with the IoT device to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
The IoT device is bound to the first electronic device, i.e., the IoT device has sharing rights to the first electronic device.
Optionally, the second electronic device may be a second control terminal in the specific implementation. The second electronic device may be installed with the first APP. A first account (corresponding to APP account 2 in the specific embodiment) may be registered in the first APP of the second electronic device. The second electronic device may interact with the server and the IoT device through the first APP.
Optionally, the sharing application message may carry information of an account (i.e., APP account 1) logged in the first APP of the first electronic device, information of a device account of the IoT device, information of an account (i.e., APP account 2) logged in the first APP of the second electronic device, and the like.
In the implementation manner, the sharing application message is sent to the server, the device information of the IoT device is shared to the second electronic device, and the device authentication code is shared to the second electronic device, so that the second electronic device and the IoT device can perform key agreement based on the device authentication code, and generate the second session key which can only be known to each other, thereby implementing end-to-end encryption of the second electronic device and the IoT device, so that a third party cannot analyze data transmitted between the second electronic device and the IoT device, improving the security of direct data transmission between the second electronic device and the IoT device in a device sharing scene, and further improving user experience.
In a possible implementation, the method further includes:
receiving an authentication code updating message sent by a server; the authentication code updating message is used for indicating to update the equipment authentication code, and the authentication code updating message comprises the equipment authentication code which is regenerated under the condition that the equipment authentication code exceeds a first preset validity period; and updating the equipment authentication code according to the authentication code updating message.
Optionally, the IoT device may set a validity period for the device authentication code (e.g., the validity period may be 90 days). When the device authentication code exceeds the validity period, the IoT device regenerates the device authentication code and will send an authentication code update message to the server. And the server updates the stored equipment authentication code according to the authentication code updating message and sends the authentication code updating message to the first electronic equipment, and the first electronic equipment updates the equipment authentication code according to the authentication code updating message.
In the implementation manner, the security of the device authentication code can be improved and the risk that the device authentication code is stolen is reduced by updating the device authentication code, so that the security of the first session key obtained by the first electronic device and the IoT device according to the device authentication code negotiation is higher, the security of data transmission between the first electronic device and the IoT device is further improved, and the user experience is improved.
In a possible implementation, the method further includes:
and under the condition that the first session key exceeds the second preset validity period, carrying out key agreement again with the IoT equipment according to the equipment authentication code to generate a new first session key.
Optionally, the first electronic device and the IoT device may set a validity period for the first session key (e.g., may be 7 days). And within the validity period, the first electronic device and the IoT device are encrypted and decrypted through the first session key. When the first session key exceeds the set validity period, the first electronic device and the IoT device may regenerate the session key based on the device authentication code, thereby further improving the security of the first session key and further improving the security of data transmission between the first electronic device and the IoT device.
In a second aspect, the present application provides a key agreement method, where the method is performed by a server, and the server is applied to a system including a first electronic device and an IoT device, where the first electronic device has a control authority over the IoT device, and the method includes:
receiving and storing a device authentication code of the IoT device sent by the IoT device; the device authentication code is generated for the IoT device; receiving a first authentication code request message sent by first electronic equipment; the first authentication code request message is used for requesting to send an equipment authentication code to the first electronic equipment; responding to the first authentication code request message, and sending the equipment authentication code to the first electronic equipment; the device authentication code is used for the first electronic device to perform key agreement with the IoT device to generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device.
The beneficial effects of the key agreement method provided by the second aspect are similar to the beneficial effects of the key agreement method provided by the first aspect, and are not described herein again.
In one possible implementation, the IoT device is bound to the first electronic device, the system further includes a second electronic device, and the method further includes:
receiving a sharing application message sent by a first electronic device, wherein the sharing application message is used for requesting to share the control authority of the IoT device to a second electronic device and comprises device information and a device authentication code of the IoT device; in response to the sharing application message, associating the device information and the device authentication code with information of the second electronic device, so that the second electronic device has a control right on the IoT device; the device authentication code is also used for the second electronic device to perform key agreement with the IoT device to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
In this implementation manner, in the device sharing phase, the server associates the device authentication code of the IoT device with the APP account 2 logged in by the first APP of the second electronic device, that is, shares the device authentication code, so that when data needs to be transmitted between the second electronic device and the IoT device, the second electronic device can obtain the device authentication code from the server. Meanwhile, the device authentication code is generated by an IoT device, which holds the device authentication code. In the process, the processes of obtaining the equipment authentication code by the second electronic equipment and the IoT equipment do not need user participation, so that the non-perception encryption of the user is realized, and the user experience is further improved. In addition, in the implementation manner, in the device sharing stage, the first electronic device sends a sharing message to the server, and the server responds to the sharing application message and associates the device information and the device authentication code with the information of the second electronic device. The whole sharing process only needs interaction between the device (the first electronic device) corresponding to the sharer and the server, the sharee and the device to be shared do not need to be on line, the sharing process is simple and quick, and quick sharing of the IoT device can be achieved.
In one possible implementation, a first application of the second electronic device is logged in to a first account, and the first application refers to an application for controlling an IoT device; responding to the sharing application message, associating the equipment information and the equipment authentication code with the information of the second electronic equipment, and including:
and responding to the sharing application message, and hanging the equipment information and the equipment authentication code under the first account.
In a possible implementation, the method further includes:
receiving a second authentication code request message sent by second electronic equipment; the second authentication code request message is used for requesting to provide the equipment authentication code for the second electronic equipment; and sending the equipment authentication code to the second electronic equipment in response to the second authentication code request message.
The beneficial effects of the method in this implementation are referred to in the first aspect, and are not described herein again.
In a possible implementation, the method further includes:
receiving an authentication code update message sent by an IoT device; the authentication code updating message is used for indicating to update the equipment authentication code, and the authentication code updating message comprises the equipment authentication code which is regenerated under the condition that the equipment authentication code exceeds a first preset validity period; updating the equipment authentication code according to the authentication code updating message; and sending the authentication code updating message to the first electronic equipment.
The beneficial effects of the method in this implementation manner are referred to the key agreement method in the first aspect, and are not described herein again.
In one possible implementation, the system further includes a second electronic device, the second electronic device having control authority over the IoT device, and the method further includes:
and sending the authentication code updating message to the second electronic equipment.
In the implementation manner, the authentication code update message is sent to the second electronic device, so that the second electronic device can update the device authentication code, the security of the device authentication code in the second electronic device is improved, and the risk that the device authentication code is stolen is reduced, so that the security of a second session key obtained by the second electronic device and the IoT device through negotiation according to the device authentication code is higher, the security of data transmission between the second electronic device and the IoT device is further improved, and the user experience is improved.
In a third aspect, the present application provides a key agreement method, which is performed by an IoT device applied to a system including a first electronic device and a server, where the first electronic device has a control authority over the IoT device, and the method includes:
generating an equipment authentication code; sending the equipment authentication code to a server; performing key agreement with the first electronic device according to the device authentication code to generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device.
For the beneficial effects of the method in this implementation, reference is made to the key agreement methods of the first aspect and the second aspect, which are not described herein again.
In one possible implementation, generating the device authentication code includes:
and generating a device authentication code when the registration information of the IoT device sent by the first electronic device is received.
In the implementation manner, the device authentication code is generated under the condition that the registration information of the IoT device sent by the first electronic device is received, that is, the device authentication code is generated at the device authentication stage of the IoT device, so that the IoT device sends the device authentication code and the device registration information to the server together, the server associates and manages the device authentication code and the relevant information of the IoT device, and the device authentication code generation and management efficiency is improved.
In one possible implementation manner, performing key agreement with the first electronic device according to the device authentication code to generate a first session key includes:
and according to the equipment authentication code, carrying out key agreement with the first electronic equipment based on a password authentication key exchange protocol to generate a first session key.
The beneficial effects of the method in this implementation manner are referred to the key agreement method in the first aspect, and are not described herein again.
In a possible implementation, the method further includes:
regenerating the equipment authentication code under the condition that the equipment authentication code exceeds the first preset validity period; and sending an authentication code updating message to the server, wherein the authentication code updating message is used for indicating to update the equipment authentication code, and the authentication code updating message comprises the regenerated equipment authentication code.
For the beneficial effects of the method in this implementation, reference is made to the key agreement methods of the first aspect and the second aspect, which are not described herein again.
In a possible implementation, the method further includes:
and under the condition that the first session key exceeds the second preset validity period, carrying out key agreement with the first electronic equipment again according to the equipment authentication code to generate a new first session key.
The beneficial effects of the method in this implementation manner are referred to the key agreement method in the first aspect, and are not described herein again.
In one possible implementation, the system further includes a second electronic device, the second electronic device having a control authority over the IoT device, and the method further includes:
performing key agreement with the second electronic device according to the device authentication code to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
For the beneficial effects of the method in this implementation, reference is made to the key agreement methods of the first aspect and the second aspect, which are not described herein again.
In a fourth aspect, the present application provides an apparatus, which is included in a first electronic device, and which has a function of implementing the behavior of the electronic device in the first aspect and possible implementations of the first aspect. The functions may be implemented by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above-described functions. Such as a receiving module or unit, a processing module or unit, etc.
In a fifth aspect, the present application provides an apparatus, which is included in a server, and which has a function of implementing the behavior of the electronic device in the second aspect and possible implementations of the second aspect. The functions may be implemented by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above-described functions. Such as a receiving module or unit, a processing module or unit, etc.
In a sixth aspect, the present application provides an apparatus, which is included in an IoT device, and which has a function of implementing the behavior of an electronic device in the third aspect and possible implementations of the third aspect. The functions may be implemented by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above-described functions. Such as a receiving module or unit, a processing module or unit, etc.
In a seventh aspect, the present application provides an IoT system, comprising: the mobile terminal comprises a first electronic device, a server and an IoT device, wherein the first electronic device is used for executing any one of the technical schemes of the first aspect, the server is used for executing any one of the technical schemes of the second aspect, and the IoT device is used for executing any one of the technical schemes of the third aspect.
In an eighth aspect, the present application provides an electronic device, comprising: a processor, a memory, and an interface; the processor, the memory and the interface cooperate with each other to enable the electronic device to execute any one of the methods in the technical solutions of the first aspect, or to enable the electronic device to execute any one of the methods in the technical solutions of the second aspect, or to enable the electronic device to execute any one of the methods in the technical solutions of the third aspect.
In a ninth aspect, the present application provides a chip comprising a processor. The processor is adapted to read and execute the computer program stored in the memory to perform the method of the first aspect and any possible implementation thereof, or to perform the method of the second aspect and any possible implementation thereof, or to perform the method of the third aspect and any possible implementation thereof.
Optionally, the chip further comprises a memory, and the memory is connected with the processor through a circuit or a wire.
Further optionally, the chip further comprises a communication interface.
In a tenth aspect, the present application provides a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the processor is enabled to execute any one of the methods in the technical solutions of the first aspect, or execute the method in the second aspect and any possible implementation manner thereof, or execute the method in the third aspect and any possible implementation manner thereof.
In an eleventh aspect, the present application provides a computer program product comprising: computer program code for causing an electronic device to perform any of the methods of the first aspect as such or in any of its possible implementations, when the computer program code runs on the electronic device.
For the beneficial effects of the fourth to eleventh aspects, reference is made to the beneficial effects of the key agreement methods of the first, second and third aspects, which are not described herein again.
Drawings
Fig. 1 is a schematic diagram illustrating an encryption principle in a process of sending a control instruction to an IoT device by a control terminal in the related art;
fig. 2 is a schematic structural diagram of an IoT system to which an example key agreement method provided in the embodiment of the present application is applied;
fig. 3 is a schematic structural diagram of an example of an electronic device according to an embodiment of the present application;
fig. 4 is a flowchart illustrating an example of a key agreement method according to an embodiment of the present application;
fig. 5 is a schematic data flow diagram of an example of the device registration phase according to the embodiment of the present application;
fig. 6 is a schematic data flow diagram of an example key agreement phase according to the embodiment of the present application;
FIG. 7 is a schematic diagram of data flow in an example of a device control phase according to an embodiment of the present disclosure;
fig. 8 is a schematic interface change diagram of an example process of sharing an IoT device by a cell phone a according to the embodiment of the present disclosure;
fig. 9 is a schematic view of an example of an interface for sharing received by the mobile phone B according to the embodiment of the present disclosure;
fig. 10 is a flowchart illustrating another key agreement method provided in an embodiment of the present application;
fig. 11 is a schematic data flow diagram of an example of an apparatus sharing phase according to an embodiment of the present disclosure;
fig. 12 is a schematic data flow diagram of another key agreement phase provided in an embodiment of the present application;
FIG. 13 is a schematic diagram of data flow in a control phase of another embodiment of the apparatus provided in this application;
fig. 14 is a flowchart illustrating a key agreement method according to another embodiment of the present application;
fig. 15 is a schematic structural diagram of an example of a key agreement device according to an embodiment of the present application;
fig. 16 is a schematic structural diagram of another example of a key agreement device according to an embodiment of the present application;
fig. 17 is a schematic structural diagram of a key agreement device according to another example provided in the embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. Wherein in the description of the embodiments of the present application, "/" indicates an inclusive meaning, for example, a/B may indicate a or B; "and/or" herein is merely an association describing an associated object, and means that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, in the description of the embodiments of the present application, "a plurality" means two or more than two.
In the following, the terms "first", "second" and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, features defined as "first", "second", "third" may explicitly or implicitly include one or more of the features.
Reference throughout this specification to "one embodiment" or "some embodiments," or the like, means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the present application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," or the like, in various places throughout this specification are not necessarily all referring to the same embodiment, but rather "one or more but not all embodiments" unless specifically stated otherwise. The terms "comprising," "including," "having," and variations thereof mean "including, but not limited to," unless otherwise specifically stated.
In order to better understand the embodiments of the present application, terms or concepts that may be referred to in the embodiments are explained below.
An IoT device: a physical object in an IoT network. In this embodiment of the application, the IoT device may be an intelligent household device, for example, an intelligent sound box, an intelligent desk lamp, an intelligent air conditioner, an intelligent refrigerator, an intelligent door lock, an intelligent curtain, or the like. In addition, the IoT device may also be an in-vehicle device, a wearable device, an Augmented Reality (AR)/Virtual Reality (VR) device, or other intelligent devices, and the specific type of the IoT device is not limited in this embodiment.
The control terminal: the control terminal refers to a terminal installed with an Application (APP) for controlling an IoT device, and includes but is not limited to a mobile phone, a tablet computer, a wearable device, a notebook computer, an ultra-mobile personal computer (UMPC), a netbook, a Personal Digital Assistant (PDA), and the like. The APP controlling the IoT device may be, for example, smart life, smart space, or the like.
Cloud server: also known as IoT clouds, smart home clouds, cloud platforms, cloud ends or device clouds, etc. The cloud server is used for storing relevant data of the IoT device, or controlling forwarding transmission of data (e.g., control instructions) between the terminal and the IoT device, and the like.
APP account: information that a user registers in an APP controlling an IoT device to characterize the user's identity. The APP account is also referred to as APP account information, APP user information, or as APP user identity (user ID).
Device authentication code of IoT device: generated by the IoT device for key agreement. The device authentication code may be a character string generated randomly by the IoT device or generated according to a preset rule. The device authentication codes generated by different IoT devices are different, and the device authentication codes generated by the same IoT device each time are different.
Registration information of IoT devices: information required by IoT devices at device registration. The registration information of the IoT device may include registrant identity information of the IoT device, an activation code of the IoT device, and the like.
Registrant identity information of IoT devices: namely, a register identity document, referred to as regID, is used to characterize the unique identity of the IoT device in the device registration phase.
Activation code of IoT device: i.e., active code, for registration activation of the IoT device in the device registration phase.
Device account of IoT device: also known as the device identity (devID) of the IoT device, is used to characterize the unique identity of the IoT device.
Login password of IoT device: information for verifying an identity when an IoT device logs into a device account. The device account of one IoT device corresponds to one login password.
Device sharing: also known as IoT device sharing, sharing a device or shared device, and so on. And a certain APP account logged in a control terminal is bound with a certain IoT device, and the control terminal has control authority over the IoT device. The control terminal shares the control authority of the IoT device with another control terminal logged in other APP accounts, so that the other control terminal also has the control authority of the IoT device, and the process is referred to as IoT device sharing, which is simply referred to as device sharing.
Sharing people: the APP account is registered in a control terminal that shares IoT device control authority with other control terminals. For example, the control terminal a logs in the APP account 1, and the control terminal a shares the control authority of the IoT device a to the control terminal B that logs in the APP account 2, so that the APP account a is a sharer.
The shared person: the passive sharer is an APP account registered in the control terminal that receives device sharing of another control terminal. In the above example, APP account B is the sharee.
Fig. 1 is a schematic diagram illustrating an encryption principle in a process of sending a control instruction to an IoT device by a control terminal in the related art. As shown in fig. 1, the control terminal 101 includes a first encryption module 111, and the cloud server 200 includes a first decryption module 221 and a second encryption module 222. The IoT device 300 includes a second decryption module 331. The control terminal 101 and the cloud server 200 perform encryption and decryption based on the encryption protocol a. Encryption and decryption are performed between the cloud server 200 and the IoT device 300 based on the encryption protocol B.
When the control terminal 101 needs to send a control instruction to the IoT device 300, the first encryption module 111 of the control terminal 101 encrypts the plaintext control instruction based on the encryption protocol a to generate a ciphertext control instruction a. The first encryption module 111 sends the first ciphertext control instruction to the first decryption module 221 of the cloud server 200. The first decryption module 221 decrypts the ciphertext control instruction a based on the first encryption protocol to obtain the plaintext control instruction. The first decryption module 221 sends the plaintext control command to the second encryption module 222. The second encryption module 222 encrypts the plaintext control command based on the encryption protocol B to obtain a ciphertext control command B. The second encryption module 222 sends the ciphertext control instruction b to the second decryption module 331 of the IoT device 300. The second decryption module 331 decrypts the ciphertext control instruction B based on the encryption protocol B to obtain a plaintext control instruction.
As can be seen from the above process, the first ciphertext control instruction is transmitted from the control terminal 101 to the IoT device 300, and needs to be decrypted by the cloud server 200, so that the cloud server 200 can obtain the plaintext control instruction. That is to say, in the transmission process of the first ciphertext control instruction, a third party (cloud server) has analyzed the ciphertext control instruction a, so that the transmission of the control instruction between the control terminal 101 and the IoT device 300 is not secure enough.
The embodiment of the application provides a key negotiation method, which can realize end-to-end encryption of a control terminal and IoT equipment, avoid a control instruction being analyzed by a third party, and improve the security of control instruction transmission. Moreover, the key agreement method provided by the embodiment of the present application can also be applied to the sharing process of the IoT device, which not only can improve the security of the transmission of the control instruction of the control terminal where the sharer is located, but also can improve the security of the transmission of the control instruction of the terminal device where the sharee is located. The following describes a key agreement method provided in the present application with reference to an embodiment.
For convenience of understanding, before describing the key agreement method provided in the embodiment of the present application, first, the configurations of a system and an electronic device to which the key agreement method provided in the embodiment of the present application is applied will be described.
Fig. 2 is a schematic structural diagram of an IoT system to which the key agreement method is applied according to an example provided in the present embodiment. As shown in fig. 2, the IoT system may include a first control terminal 210, an IoT device 220, a second control terminal 230, and a server 240. The first control terminal 210, the IoT device 220, and the second control terminal 230 are respectively network-connected with the server 240. Meanwhile, the first control terminal 210 and the IoT device 220 may be connected through proximity field communication, such as wireless fidelity (Wi-Fi), Bluetooth (BT), peer-to-peer (P2P), and the like. The second control terminal 230 and the IoT device 220 may also be connected through near field communication.
Each of the first control terminal 210 and the second control terminal 230 has an APP (hereinafter referred to as a first APP) installed therein for controlling an IoT device. The server 240 is a management server of the first APP. Alternatively, the server 240 may be a cloud server. The first control terminal 210 logs in APP account 1 in the first APP it installs; the second control terminal 220 logs in APP account 2 in the first APP it installs. APP account 1 logged in the first APP of the first control terminal 210 may bind the IoT device 220 (also referred to as the first control terminal 210 binding with the IoT device 220). The server may manage APP account 1, APP account 2, accounts for IoT devices, and so on. It should be noted that, in the embodiment of the present application, the interactions between the first control terminal 210 and the server 240 and the interactions between the second control terminal 230 and the server are both performed through the first APP. Meanwhile, the interaction between the first and second control terminals 210 and 230 and the IoT device 220 is also performed through the first APP.
Optionally, the first control terminal 210 and the second control terminal 230 may be the same type of device or different types of devices. For example, the first control terminal 210 may be a mobile phone, and the second control terminal 230 may be a tablet computer. The following embodiments take the first control terminal 210 and the second control terminal 230 as mobile phones as examples.
For example, fig. 3 is a schematic structural diagram of an example of the first control terminal 210 and the second control terminal 230 (hereinafter, collectively referred to as the electronic device 100) provided in the embodiment of the present application. The electronic device 100 may include a processor 110, an external memory interface 120, an internal memory 121, a Universal Serial Bus (USB) interface 130, a charging management module 140, a power management module 141, a battery 142, an antenna 1, an antenna 2, a mobile communication module 150, a wireless communication module 160, an audio module 170, a speaker 170A, a receiver 170B, a microphone 170C, an earphone interface 170D, a sensor module 180, a key 190, a motor 191, an indicator 192, a camera 193, a display screen 194, a Subscriber Identification Module (SIM) card interface 195, and the like. The sensor module 180 may include a pressure sensor 180A, a gyroscope sensor 180B, an air pressure sensor 180C, a magnetic sensor 180D, an acceleration sensor 180E, a distance sensor 180F, a proximity light sensor 180G, a fingerprint sensor 180H, a temperature sensor 180J, a touch sensor 180K, an ambient light sensor 180L, a bone conduction sensor 180M, and the like.
It is to be understood that the illustrated structure of the embodiment of the present application does not specifically limit the electronic device 100. In other embodiments of the present application, electronic device 100 may include more or fewer components than shown, or some components may be combined, some components may be split, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Processor 110 may include one or more processing units, such as: the processor 110 may include an Application Processor (AP), a modem processor, a Graphics Processing Unit (GPU), an Image Signal Processor (ISP), a controller, a memory, a video codec, a Digital Signal Processor (DSP), a baseband processor, and/or a neural-Network Processing Unit (NPU), etc. Wherein, the different processing units may be independent devices or may be integrated in one or more processors.
The controller may be, among other things, a neural center and a command center of the electronic device 100. The controller can generate an operation control signal according to the instruction operation code and the timing signal to complete the control of instruction fetching and instruction execution.
A memory may also be provided in processor 110 for storing instructions and data. In some embodiments, the memory in the processor 110 is a cache memory. The memory may hold instructions or data that have just been used or recycled by the processor 110. If the processor 110 needs to use the instruction or data again, it can be called directly from memory. Avoiding repeated accesses reduces the latency of the processor 110, thereby increasing the efficiency of the system.
In some embodiments, processor 110 may include one or more interfaces. The interface may include an integrated circuit (I2C) interface, an integrated circuit built-in audio (I2S) interface, a Pulse Code Modulation (PCM) interface, a universal asynchronous receiver/transmitter (UART) interface, a Mobile Industry Processor Interface (MIPI), a general-purpose input/output (GPIO) interface, a Subscriber Identity Module (SIM) interface, and/or a Universal Serial Bus (USB) interface, etc.
It should be understood that the interface connection relationship between the modules illustrated in the embodiments of the present application is only an illustration, and does not limit the structure of the electronic device 100. In other embodiments of the present application, the electronic device 100 may also adopt different interface connection manners or a combination of multiple interface connection manners in the above embodiments.
The wireless communication function of the electronic device 100 may be implemented by the antenna 1, the antenna 2, the mobile communication module 150, the wireless communication module 160, a modem processor, a baseband processor, and the like.
The antennas 1 and 2 are used for transmitting and receiving electromagnetic wave signals. The structure of the antenna 1 and the antenna 2 in fig. 3 is only an example. Each antenna in the electronic device 100 may be used to cover a single or multiple communication bands. Different antennas can also be multiplexed to improve the utilization of the antennas. For example: the antenna 1 may be multiplexed as a diversity antenna of a wireless local area network. In other embodiments, the antenna may be used in conjunction with a tuning switch.
The mobile communication module 150 may provide a solution including 2G/3G/4G/5G wireless communication applied to the electronic device 100. The mobile communication module 150 may include at least one filter, a switch, a power amplifier, a Low Noise Amplifier (LNA), and the like. The mobile communication module 150 may receive the electromagnetic wave from the antenna 1, filter, amplify, etc. the received electromagnetic wave, and transmit the electromagnetic wave to the modem processor for demodulation. The mobile communication module 150 may also amplify the signal modulated by the modem processor, and convert the signal into electromagnetic wave through the antenna 1 to radiate the electromagnetic wave. In some embodiments, at least some of the functional modules of the mobile communication module 150 may be disposed in the processor 110. In some embodiments, at least some of the functional modules of the mobile communication module 150 may be disposed in the same device as at least some of the modules of the processor 110.
The wireless communication module 160 may provide a solution for wireless communication applied to the electronic device 100, including Wireless Local Area Networks (WLANs) (e.g., wireless fidelity (Wi-Fi) networks), bluetooth (bluetooth, BT), Global Navigation Satellite System (GNSS), Frequency Modulation (FM), Near Field Communication (NFC), Infrared (IR), and the like. The wireless communication module 160 may be one or more devices integrating at least one communication processing module. The wireless communication module 160 receives electromagnetic waves via the antenna 2, performs frequency modulation and filtering processing on electromagnetic wave signals, and transmits the processed signals to the processor 110. The wireless communication module 160 may also receive a signal to be transmitted from the processor 110, perform frequency modulation and amplification on the signal, and convert the signal into electromagnetic waves through the antenna 2 to radiate the electromagnetic waves.
In some embodiments, antenna 1 of electronic device 100 is coupled to mobile communication module 150 and antenna 2 is coupled to wireless communication module 160 so that electronic device 100 can communicate with networks and other devices through wireless communication techniques. The wireless communication technology may include global system for mobile communications (GSM), General Packet Radio Service (GPRS), code division multiple access (code division multiple access, CDMA), Wideband Code Division Multiple Access (WCDMA), time-division code division multiple access (time-division code division multiple access, TD-SCDMA), Long Term Evolution (LTE), LTE, BT, GNSS, WLAN, NFC, FM, and/or IR technologies, among others. GNSS may include Global Positioning System (GPS), global navigation satellite system (GLONASS), beidou satellite navigation system (BDS), quasi-zenith satellite system (QZSS), and/or Satellite Based Augmentation System (SBAS).
The electronic device 100 implements display functions via the GPU, the display screen 194, and the application processor. The GPU is a microprocessor for image processing, and is connected to the display screen 194 and an application processor. The GPU is used to perform mathematical and geometric calculations for graphics rendering. The processor 110 may include one or more GPUs that execute program instructions to generate or alter display information.
The display screen 194 is used to display images, video, and the like. The display screen 194 includes a display panel. The display panel may adopt a Liquid Crystal Display (LCD), an organic light-emitting diode (OLED), an active-matrix organic light-emitting diode (active-matrix organic light-emitting diode, AMOLED), a flexible light-emitting diode (FLED), a miniature, a Micro-oeld, a quantum dot light-emitting diode (QLED), and the like. In some embodiments, the electronic device 100 may include 1 or N display screens 194, N being a positive integer greater than 1.
The touch sensor 180K is also referred to as a "touch panel". The touch sensor 180K may be disposed on the display screen 194, and the touch sensor 180K and the display screen 194 form a touch screen, which is also called a "touch screen". The touch sensor 180K is used to detect a touch operation acting thereon or nearby. The touch sensor may communicate the detected touch operation to the application processor to determine the touch event type. Visual output associated with the touch operation may be provided via the display screen 194. In other embodiments, the touch sensor 180K may be disposed on the surface of the electronic device 100 at a different position than the display screen 194.
The key agreement method provided by the embodiment of the present application is explained in detail below with reference to the accompanying drawings and application scenarios. For convenience of understanding, in the following embodiments, the first control terminal is a mobile phone a, the second control terminal is a mobile phone B, the IoT device is an IoT device C, and the server is a cloud server. The mobile phone A and the mobile phone B are both provided with a first APP, the first APP in the mobile phone A logs in an APP account 1, and the first APP in the mobile phone B logs in an APP account 2.
Fig. 4 is a flowchart illustrating an example of a key agreement method according to an embodiment of the present application. As shown in fig. 4, the present embodiment relates to a process in which a handset a controls an IoT device C, and the process includes a device registration phase, a key agreement phase, and a device control phase. The following describes the specific processes of the respective stages with reference to fig. 4:
1. device registration phase
Fig. 5 is a schematic diagram illustrating a data flow in a device registration phase according to an embodiment of the present disclosure. Referring to fig. 4 and 5, in the present embodiment, the device registration phase includes:
s401, the mobile phone A applies for registration information of the IoT device C from the cloud server through the first APP.
Optionally, the first APP of the mobile phone a may send a first application message to the cloud server, where the first application message is used to request the cloud server to send the registration information of the IoT device C to the first APP of the mobile phone a. Optionally, the first application message may carry information of an APP account logged in the first APP of the mobile phone a, that is, the first application message carries information of the APP account 1.
S402, the cloud server responds to the application of the first APP of the mobile phone A and generates registration information of the IoT equipment C.
Optionally, the registration information of the IoT device C may include a registrant identity (regID) of the IoT device C and an activation code (active code) of the IoT device C.
S403, the cloud server sends the generated registration information of the IoT device C to the first APP of the mobile phone a.
Specifically, the cloud server may send the generated registration information of the IoT device C to the first APP of the mobile phone a according to the information of the APP account 1 carried in the first application message.
It can be understood that, while sending the registration information of the IoT device C to the first APP of the mobile phone a, the cloud server may store the generated registration information of the IoT device C, and associate the registration information of the IoT device C with the APP account 1, so as to perform authentication when registering a subsequent device.
S404, the mobile phone a sends registration information of the IoT device C to the IoT device C through the first APP.
Optionally, handset a may send registration information of IoT device C to IoT device C through the first APP based on the nfc connection with IoT device C.
S405, after receiving the registration information, the IoT device C generates a device authentication code of the IoT device C.
S406, the IoT device C sends the registration information and the device authentication code of the IoT device C to the cloud server, and applies for device registration from the cloud server.
Specifically, IoT device C may send a second application message to the cloud server, where the second application message is used to request the cloud server to register IoT device C. Optionally, the second application message may carry registration information of the IoT device C (including the identity of the registrant and the activation code of the IoT device C) and a device authentication code.
It will be appreciated that IoT device C may save its device authentication code while sending it to the server.
S407, the cloud server performs device registration in response to the application of the IoT device C.
Specifically, the cloud server may compare and verify the registration information sent by the IoT device C with the registration information of the IoT device C associated with the APP account 1 stored in the cloud server, and if the two are consistent, the cloud server generates the device information of the IoT device C. The device information includes a device account, a login password, and the like. The cloud server binds the device information of IoT device C with APP account 1, that is, associates the device information of IoT device C with APP account 1.
And S408, simultaneously, the cloud server stores the equipment authentication code of the IoT equipment C.
It may be appreciated that the cloud server may associate the device authentication code of IoT device C with the device account of IoT device C in order to look up the device authentication code of IoT device C from the device account of IoT device C.
S409, the cloud server returns the registration result to the IoT device C.
Optionally, the registration result may include a device account and a login password of the IoT device C. IoT device C may log into the cloud server according to the device account and the login password.
2. Key agreement phase
Fig. 6 is a schematic diagram illustrating a data flow of an example key agreement phase according to an embodiment of the present application. Referring to fig. 4 and fig. 6, in this embodiment, the key agreement phase includes:
s410, the mobile phone a requests the cloud server for the device authentication code of the IoT device C through the first APP.
Optionally, the mobile phone a may send a first authentication code request message to the cloud server through the first APP, where the first authentication code request message is used to request the cloud server to send the device authentication code of the IoT device C to the first APP of the mobile phone a. Optionally, the first authentication code request message may carry information such as the APP account 1 and the device account of the IoT device C.
S411, the cloud server responds to the request of the first APP of the mobile phone A and sends the equipment authentication code of the IoT equipment C to the first APP of the mobile phone A.
Specifically, the cloud server may search all the device accounts associated with the APP account 1 according to the information of the APP account 1 and the device account of the IoT device C carried in the first authentication code request message, search the device account of the IoT device C from the device accounts, search the device authentication code of the IoT device C from the information associated with the device account of the IoT device C, and send the device authentication code to the first APP of the mobile phone a. Of course, the cloud server may also search for the device authentication code of the IoT device C by other methods, which is not limited in this embodiment of the present application.
S412, the mobile phone a performs key agreement with the IoT device C through the first APP based on the device authentication code of the IoT device C, and generates a first session key.
Optionally, the first APP of the mobile phone a and the IoT device C may perform key agreement based on the pawe protocol. In one embodiment, the key agreement procedure may be as follows: 1) the first APP of the mobile phone a and the IoT device C exchange a random number and a challenge code through the cloud server. Specifically, a first APP of the mobile phone a generates a first random number and a first challenge code, and sends the first random number and the first challenge code to the IoT device C through the cloud server; the IoT device C generates a second random number and a second challenge code, and sends the second random number and the second challenge code to the first APP of the mobile phone a through the cloud server. 2) The first APP of the mobile phone a generates a first session key according to the first random number, the first challenge code, the second random number, the second challenge code, and the device authentication code of the IoT device C. 3) IoT device C generates a first session key based on the first random number, the first challenge code, the second random number, the second challenge code, and the device authentication code of IoT device C.
It can be understood that when handset a is connected to IoT device C in near field communication, the first APP of handset a may also directly communicate with IoT device C for key agreement.
It should be noted that the first APP of the handset a and the IoT device C negotiate to generate the first session key, which only can be known to each other, and other devices cannot know the first session key.
Optionally, handset a and IoT device C may set a validity period (e.g., may be 7 days) for the first session key. And during the validity period, the mobile phone A and the IoT device C perform encryption and decryption through the first session key. When the first session key exceeds the set validity period, the handset a and the IoT device C may regenerate the session key based on the device authentication code of the IoT device C, thereby further improving the security of the first session key, and further improving the security of data transmission between the handset a and the IoT device C.
3. Stage of equipment control
Fig. 7 is a schematic diagram illustrating a data flow of an example of an apparatus control phase according to an embodiment of the present application. Referring to fig. 4 and 7 together, the device control phase includes:
s413, when the mobile phone a needs to send the first plaintext control instruction to the IoT device C, the first APP of the mobile phone a encrypts the first plaintext control instruction according to the first session key generated in step S412 to obtain the first ciphertext control instruction.
And S414, the first APP of the mobile phone A sends the first ciphertext control instruction to the cloud server.
S415, the cloud service forwards the first ciphertext control instruction to the IoT device C.
S416, after receiving the first ciphertext control instruction, the IoT device C decrypts the first ciphertext control instruction according to the first session key generated in step S412 to obtain the first plaintext control instruction.
S417, IoT device C executes the first plaintext control instruction.
Specifically, the first APP of handset a may include an encryption module a, and the IoT device C may include a decryption module. And the encryption module A encrypts the first plaintext control instruction according to the first session key to obtain a first ciphertext control instruction. The encryption module A sends the first ciphertext control instruction to the cloud server, and the cloud server forwards the first ciphertext control instruction to the decryption module of the IoT device C. The decryption module decrypts the first ciphertext control instruction to obtain a first plaintext control instruction, and executes the first plaintext control instruction.
In this embodiment, when the control instruction is transmitted, the first APP of the mobile phone a and the IoT device C perform key agreement based on the device authentication code of the IoT device C to generate the first session key that can only be known to each other, so that end-to-end encryption of the mobile phone a and the IoT device C is implemented, a third party cannot resolve the first ciphertext control instruction, the security of transmission of the control instruction in the process of controlling the IoT device C by the mobile phone a is improved, and user experience is improved. On the other hand, in the embodiment, the IoT device C generates the device authentication code of the IoT device C, and sends the device authentication code of the IoT device C to the cloud server, and the cloud server stores the device authentication code. When the mobile phone A needs to send a control instruction to the IoT device C, the first APP of the mobile phone A obtains the device authentication code of the IoT device C from the cloud server. Meanwhile, the IoT device C stores the device authentication code, so that the handset a and the IoT device C can have the same device authentication code for performing key agreement. In the process, the processes of obtaining the equipment authentication code by the first APP of the mobile phone A and obtaining the equipment authentication code by the IoT equipment C do not need user participation, so that the user can realize non-perception encryption, and the user experience is further improved.
It should be noted that, in the above embodiment, the encryption and decryption processes of the control instruction are described as an example. However, the key agreement method provided in the embodiment of the present application is not limited thereto, and the method may be used to encrypt and decrypt any data transmitted between the control terminal and the IoT device, and the present application is not limited thereto.
In addition, it can be understood that the device authentication code of the IoT device C in the above embodiment may be a long-term valid device authentication code. That is, the IoT device C and the device authentication code of the IoT device C held by the cloud server are fixed. In other embodiments, the device authentication code of the IoT device C may be updated periodically or aperiodically. For example, IoT device C may set a validity period for the device authentication code (e.g., the validity period may be 90 days). When the device authentication code exceeds the validity period, the IoT device C regenerates the device authentication code, and sends an authentication code update message (the message may carry the regenerated device authentication code) to the cloud server to request the cloud server to update the device authentication code. The cloud server responds to the request of the IoT equipment C, updates the equipment authentication code of the IoT equipment C, sends an authentication code updating message to the mobile phone A and informs the first APP of the mobile phone A of updating the equipment authentication code. By updating the equipment authentication code, the security of the equipment authentication code can be improved, and the risk that the equipment authentication code is stolen is reduced, so that the security of the first session key obtained by the mobile phone A and the IoT equipment C according to the equipment authentication code negotiation is higher, the security of control instruction transmission between the mobile phone A and the IoT equipment C is further improved, and the user experience is improved.
The above process is a process of encrypting the control instruction based on the device authentication code in the process of controlling the IoT device C. In some embodiments, when the mobile phone a shares the IoT device C bound to the APP account 1 with the mobile phone B logged in with the APP account 2 (i.e., the APP account 1 is a sharer and the APP account 2 is a sharee), the mobile phone B may encrypt the control instruction through the device authentication code of the IoT device C, so as to improve the security of the control instruction transmission in the process of controlling the IoT device C by the mobile phone B. The specific procedure is as follows in the examples. In the following embodiments, the first APP is taken as "smart space", and the IoT device C is taken as a smart lamp for example.
Fig. 8 is a schematic interface change diagram of an example process of sharing an IoT device by a handset a according to an embodiment of the present disclosure. As shown in fig. 8 (a), the user clicks an icon 81 to open the smart space APP. The mobile phone a responds to the operation of clicking the icon 81 by the user, runs the smart space APP, and displays the home main interface 82 of the smart space APP, as shown in fig. 8 (b). And displays, in the "home" main interface 82, the IoT devices in the environment where the current mobile phone a is located, and the IoT devices bound to APP account 1(130 × 23) where the smart space APP is currently registered. Wherein, the IoT device to which APP account 1 is bound includes a smart lamp 001, such as card 83 in (b) in fig. 8. The user holds the card 83 and a menu of options appears below the card 83 as shown in fig. 8 (c). Included in the options menu is a "shared devices" option 84. The user clicks on the "shared devices" option 84 and enters the interface shown in (d) of fig. 8. The interface includes a plurality of member options. When the user clicks the member option 85 corresponding to the APP account 2(Lily), the user enters a sharing confirmation interface, as shown in (e) in fig. 8. Included in this interface are "confirm" and "cancel" options. The user clicks the "confirm" option, and then determines to share the smart lamp 001 with the mobile phone B logged in the APP account 2. After sharing, the mobile phone a may prompt the sharing result, as shown in (f) in fig. 8.
Fig. 9 is a schematic view of an interface for sharing of a mobile phone B according to an embodiment of the present disclosure. As shown in fig. 9, after the smart lamp 001 is shared by the mobile phone a and the mobile phone B, a sharing prompt window may pop up on the interface of the mobile phone B, and the sharing prompt window asks the user whether to accept sharing, as shown by 91 in fig. 9. After the user clicks "yes", smart space APP of mobile phone A begins to share smart lamp 001 to smart space APP of mobile phone B. The specific implementation process of sharing is shown in the following embodiments.
Exemplarily, fig. 10 is a schematic flowchart of another key agreement method provided in the embodiment of the present application. As shown in fig. 10, the present embodiment mainly relates to a process in which a mobile phone a shares an IoT device C (such as a smart lamp 001) with a mobile phone B, and the mobile phone B controls the IoT device C, where the process includes a device sharing stage, a key agreement stage, and a device control stage. The following describes the process of each stage with reference to fig. 10:
1. device sharing phase
For example, fig. 11 is a schematic data flow diagram of an example of a device sharing phase according to an embodiment of the present disclosure. Referring to fig. 10 and fig. 11, in the present embodiment, the device sharing stage includes:
s1001, the mobile phone a applies for sharing the IoT device C with the mobile phone B from the cloud server through the first APP.
Optionally, the first APP of the mobile phone a may send a sharing application message to the cloud server, where the sharing application message is used to request the cloud server to share the IoT device C with the mobile phone B. Optionally, the sharing application message may carry information of the sharer, information of the sharee, information of the device to be shared, and the like. That is, the sharing application message carries information of the APP account (i.e., APP account 1) registered in the first APP of the mobile phone a, information of the device account of the IoT device C, information of the APP account (i.e., APP account 2) registered in the first APP of the mobile phone B, and the like.
S1002, the cloud server responds to the application of the first APP of the mobile phone A, and performs authority verification of a sharing person, namely, authority verification is performed on an APP account (namely, APP account 1) logged in by the first APP of the mobile phone A.
It can be understood that only APP accounts binding an IoT device may be a sharer of the IoT device, possessing sharing rights to the IoT device. In other words, the IoT device that a certain APP account requests to share must be the IoT device that is bound to the APP account.
Optionally, the cloud server may query, according to APP account 1 carried in the sharing application message, whether IoT devices bound to APP account 1 include IoT device C, thereby determining whether the IoT device requested to be shared by APP account 1 is an IoT device bound to APP account 1, and determining whether APP account 1 has a sharing right for IoT device C. If yes, the authority check is passed, otherwise, the authority check is not passed.
Optionally, the cloud server may also query whether the APP account bound to the IoT device C is APP account 1 according to the device account of the IoT device C carried in the sharing application message, so as to determine whether the APP account 1 has the sharing right for the IoT device C. If yes, the authority check is passed, otherwise, the authority check is not passed.
If the authority passes the authority check, step S1003 is executed.
S1003, the cloud server hangs down the device information and the device authentication code of the IoT device C to an APP account (namely, APP account 2) of the first APP login of the mobile phone B.
Specifically, the cloud server associates information such as a device account, a login password, and a device authentication code of the IoT device C with the APP account 2, so that the mobile phone B logged in with the APP account 2 also has a control right for the IoT device.
S1004, the cloud server pushes the IoT device C to the first APP of the cell phone B.
Specifically, the cloud server sends information such as a device account of the IoT device C to the first APP of the mobile phone B. The first APP of the mobile phone B may refresh the "home" main interface according to the information of the device account of the IoT device C, so that the "home" main interface of the first APP of the mobile phone B displays the card of the IoT device C, and thus, the user can perform the control operation on the IoT device C.
2. Key agreement phase
Fig. 12 is a schematic diagram illustrating a data flow of an example key agreement phase according to an embodiment of the present application. Referring to fig. 10 and 12, in this embodiment, the key agreement phase includes:
s1005, the mobile phone B requests the cloud server for the device authentication code of the IoT device C through the first APP.
Optionally, the first APP of the mobile phone B may send a second authentication code request message to the cloud server, where the second authentication code request message is used to request the cloud server to send the device authentication code of the IoT device C to the first APP of the mobile phone B. Optionally, the second authentication code request message may carry the APP account 2 and the device account of the IoT device C.
S1006, the cloud server sends the device authentication code of the IoT device C to the first APP of the mobile phone B in response to the request of the first APP of the mobile phone B.
Specifically, the cloud server may search all the device accounts associated with the APP account 2 according to the information of the APP account 2 and the device account of the IoT device C carried in the second authentication code request message, search the device account of the IoT device C from the device accounts, search the device authentication code of the IoT device C from the information associated with the device account of the IoT device C, and send the device authentication code to the first APP of the mobile phone B. Of course, the cloud server may also search for the device authentication code of the IoT device C through other methods, which is not limited in this embodiment of the present invention.
S1007, the first APP of the mobile phone B and the IoT device C perform key agreement based on the device authentication code of the IoT device C to generate a second session key.
In this step, the specific key agreement process is the same as the process of step S412, and is not described herein again.
It should be noted that the second session key generated by negotiation between the first APP of the handset B and the IoT device C is only known to each other, and other devices cannot know the second session key.
Meanwhile, it can be understood that, under the condition that the equipment authentication code exceeds the validity period and the IoT equipment C regenerates the equipment authentication code, the cloud server also sends the authentication code update message to the first APP of the mobile phone B to notify the mobile phone B to update the equipment authentication code, so that the security of the equipment authentication code can be improved, the risk that the equipment authentication code is stolen is reduced, the security of a second session key obtained by the mobile phone B and the IoT equipment C through negotiation according to the equipment authentication code is higher, the security of transmission of a control instruction between the mobile phone B and the IoT equipment C is further improved, and the user experience is improved.
3. Stage of equipment control
Fig. 13 is a schematic diagram illustrating a data flow in an apparatus control phase according to an embodiment of the present application. Referring to fig. 10 and 13, in the present embodiment, the apparatus control stage includes:
and S1008, when the mobile phone B needs to send the second plaintext control instruction to the IoT device C, the first APP of the mobile phone B encrypts the second plaintext control instruction according to the second session key generated in the step S1007 to obtain a second ciphertext control instruction.
And S1009, the first APP of the mobile phone B sends the second ciphertext control instruction to the cloud server.
S1010, the cloud service forwards the second ciphertext control instruction to the IoT device C.
S1011, after the IoT device C receives the second ciphertext control instruction, the IoT device C decrypts the second ciphertext control instruction according to the second session key generated in step S1006 to obtain a second plaintext control instruction.
S1012, IoT device C executes the second plaintext control instruction.
In particular, the first APP of the handset B may include an encryption module B and the IoT device C may include a decryption module. And the encryption module B encrypts the second plaintext control instruction according to the second session key to obtain a second ciphertext control instruction. The encryption module B sends the second ciphertext control instruction to the cloud server, and the cloud server forwards the second ciphertext control instruction to the decryption module of the IoT device C. The decryption module decrypts the second ciphertext control instruction to obtain a second plaintext control instruction, and executes the second plaintext control instruction.
In this embodiment, in the device sharing scenario, when the control instruction is transmitted, the first APP of the mobile phone B and the IoT device C perform key agreement based on the device authentication code of the IoT device C to generate the second session key that can only be known to each other, so that end-to-end encryption of the mobile phone B and the IoT device C is implemented, a third party cannot resolve the second ciphertext control instruction, and security of transmission of the control instruction in a process in which the mobile phone B controls the IoT device C in the device sharing scenario is improved, thereby improving user experience. On the other hand, in this embodiment, in the device sharing phase, the device authentication code of the IoT device C is hung under the APP account 2 logged in by the first APP of the mobile phone B through the cloud server, that is, the device authentication code is shared, so that when the mobile phone B needs to send a control instruction to the IoT device C, the first APP of the mobile phone B can obtain the device authentication code of the IoT device C from the cloud server. Meanwhile, the IoT device C stores the device authentication code, so that the handset B and the IoT device C can have the same device authentication code for performing key agreement. In the process, the processes of obtaining the equipment authentication code by the first APP of the mobile phone B and obtaining the equipment authentication code by the IoT equipment C do not need user participation, so that the non-perception encryption of the user is realized, and the user experience is further improved. In addition, in the embodiment, in the device sharing stage, the mobile phone a applies for device sharing to the cloud server through the first APP, and the cloud server directly hangs the device information and the device authentication code of the IoT device C under the APP account logged in by the first APP of the mobile phone B after verifying the rights of the sharing person. The whole sharing process only needs interaction between equipment logged in by a sharer and the cloud server, the sharee and the equipment to be shared do not need to be on line, the sharing process is simple and quick, and quick sharing of IoT equipment can be achieved.
Fig. 14 is a flowchart illustrating a key agreement method according to another embodiment of the present application. The present embodiment is described by taking the method applied to the IoT system in fig. 2 as an example. As shown in fig. 14, the method includes:
s1401, the IoT device generates a device authentication code (hereinafter, referred to as a device authentication code) of the IoT device in the device registration process.
Specifically, referring to the embodiment shown in fig. 4, the IoT device receives registration information (hereinafter, referred to as registration information) of the IoT device sent by the first control terminal, and generates a device authentication code. The IoT device sends the registration information and the device authentication code to the server.
S1402, the server stores the equipment authentication code.
Specifically, referring to the embodiment shown in fig. 4, the service performs device registration on the IoT device according to the registration information, and stores the device authentication code.
S1403, the first control terminal requests the server for the device authentication code.
And S1404, the first control terminal and the IoT equipment perform key agreement according to the equipment authentication code to generate a first session key.
S1405, the first control terminal and the IoT device encrypt and decrypt the transmitted data according to the first session key.
S1406, the first control terminal applies to the server for sharing the IoT device with the second control terminal.
S1407, the server associates the device information and the device authentication code of the IoT device with the information of the second control terminal in response to the application of the first control terminal.
Specifically, referring to the embodiment shown in fig. 10, the server hangs down the device information and the device authentication code of the IoT device to the account (i.e., APP account 2) of the first APP login of the first control terminal.
S1408, the second control terminal requests the IoT device for the device authentication code.
And S1409, the second control terminal and the IoT device perform key agreement according to the device authentication code to generate a second session key.
And S1410, the second control terminal and the IoT device encrypt and decrypt the transmitted data according to the second session key.
For a specific process of the key agreement method provided in this embodiment, reference is made to the embodiments shown in fig. 4 and fig. 10, which are not described herein again.
In this embodiment, the first control terminal requests the server for the device authentication code of the IoT device, and the device authentication code is generated by the IoT device, and the IoT device also holds the device authentication code, so that the first control terminal can perform key negotiation with the device authentication code of the IoT device, generate the first session key that can only be known to each other, and implement end-to-end encryption between the first control terminal and the IoT device, so that a third party cannot parse data (for example, a control instruction) transmitted between the first control terminal and the IoT device, thereby improving security of data transmission between the first control terminal and the IoT device, and improving user experience. On the other hand, in the implementation mode, the IoT device generates the device authentication code, sends the device authentication code to the server, and the server stores the device authentication code. When the first control terminal needs to transmit data with the IoT equipment, the first control terminal acquires the equipment authentication code from the server. Meanwhile, the IoT device is generated by the IoT device, which also holds the device authentication code. In the process, the first control terminal and the IoT equipment do not need to participate in the process of acquiring the equipment authentication code, so that the user can realize non-perception encryption, and the user experience is further improved. Moreover, in this embodiment, the IoT device is applied to the server by the first control terminal to share the IoT device to the second control terminal, the server shares the device information of the IoT device to the second control terminal and shares the device authentication code to the second control terminal, so that the second control terminal and the IoT device can perform key agreement based on the device authentication code, and generate a second session key that can only be known to each other, thereby implementing end-to-end encryption of the second control terminal and the IoT device, so that a third party cannot parse data transmitted between the second control terminal and the IoT device, improving security of direct data transmission between the second control terminal and the IoT device in a device sharing scenario, and improving user experience.
The key agreement method provided in the embodiments of the present application is described above in detail. It will be appreciated that the electronic device, in order to implement the above-described functions, comprises corresponding hardware and/or software modules for performing the respective functions. Those of skill in the art will readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, with the embodiment described in connection with the particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, the electronic device may be divided into the functional modules according to the method example, for example, the functional modules may be divided into the functional modules corresponding to the functions, such as the detection unit, the processing unit, the display unit, and the like, or two or more functions may be integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.
Referring to fig. 15, an embodiment of the present application provides a key agreement apparatus, which may be included in a first electronic device, where the first electronic device is applied in a system including a server and an IoT device. The first electronic device may be, for example, the first control terminal in the above-described embodiment. The key agreement device is used for executing the steps of the first control terminal in the above embodiment. As shown in fig. 15, the key agreement apparatus may include:
a first sending module 1501, configured to send a first authentication code request message to a server; the first authentication code request message is used for requesting to provide the equipment authentication code of the IoT equipment to the first electronic equipment; the equipment authentication code is generated for the IoT equipment and is sent to the server;
a first receiving module 1502, configured to receive a device authentication code sent by a server;
a first negotiation module 1503, configured to perform key negotiation with the IoT device according to the device authentication code, and generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device.
In one embodiment, the first negotiation module 1503 is specifically configured to perform key negotiation with the IoT device based on a password authenticated key exchange protocol according to the device authentication code to generate the first session key.
In one embodiment, the IoT device is bound to the first electronic device, the system further comprises a second electronic device, the key agreement apparatus further comprises: the first sharing module 1504 is configured to send a sharing application message to the server, where the sharing application message is used to request that the control authority of the IoT device is shared to the second electronic device, and the sharing application message includes device information and a device authentication code of the IoT device; the device authentication code is also used for the second electronic device to perform key agreement with the IoT device to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
In one embodiment, the key agreement apparatus further comprises: a first updating module 1505, configured to receive an authentication code updating message sent by a server; the authentication code updating message is used for indicating to update the equipment authentication code, and the authentication code updating message comprises the equipment authentication code which is regenerated under the condition that the equipment authentication code exceeds a first preset validity period; and updating the equipment authentication code according to the authentication code updating message.
In one embodiment, the first updating module 1505 is further configured to re-perform key agreement with the IoT device according to the device authentication code to generate a new first session key if the first session key exceeds the second preset validity period.
The key agreement device provided in this embodiment is configured to execute the method corresponding to the first control terminal, so that the beneficial effects that can be achieved by the key agreement device refer to the beneficial effects in the method corresponding to the first control terminal provided above, and are not described herein again.
Referring to fig. 16, an embodiment of the present application provides a key agreement apparatus, which may be included in a server, where the server is applied in a system including a first electronic device and an IoT device. The first electronic device may be the first control terminal in the above-described embodiment. The key agreement device is used for executing the steps of the server in the above embodiment. As shown in fig. 16, the key agreement apparatus may include:
a second receiving module 1601, configured to receive and store a device authentication code of the IoT device sent by the IoT device; the first electronic equipment is used for receiving a first authentication code request message sent by the first electronic equipment; the first authentication code request message is used for requesting to send an equipment authentication code to the first electronic equipment; the device authentication code is generated for the IoT device;
a second sending module 1602, configured to send the device authentication code to the first electronic device in response to the first authentication code request message; the device authentication code is used for the first electronic device to perform key agreement with the IoT device to generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device.
In one embodiment, the IoT device is bound to a first electronic device, the system further includes a second electronic device, the second receiving module 1601 is further to: receiving a sharing application message sent by a first electronic device, wherein the sharing application message is used for requesting to share the control authority of the IoT device to a second electronic device and comprises device information and a device authentication code of the IoT device; in response to the sharing application message, associating the device information and the device authentication code with information of the second electronic device, so that the second electronic device has a control right to the IoT device; the device authentication code is also used for the second electronic device to perform key agreement with the IoT device to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
In one embodiment, a first application of the second electronic device is logged with a first account, the first application refers to an application for controlling the IoT device; the key agreement apparatus further includes a second sharing module 1603, configured to suspend the device information and the device authentication code to the first account in response to the sharing application message.
In one embodiment, the second receiving module 1601 is further configured to receive a second authentication code request message sent by the second electronic device; the second authentication code request message is used for requesting to provide the equipment authentication code for the second electronic equipment; the second sending module 1602 is further configured to send the device authentication code to the second electronic device in response to the second authentication code request message.
In one embodiment, the key agreement apparatus further comprises: a second update module 1604, configured to receive an authentication code update message sent by an IoT device; the authentication code updating message is used for indicating to update the equipment authentication code, and the authentication code updating message comprises the equipment authentication code which is regenerated under the condition that the equipment authentication code exceeds a first preset validity period; updating the equipment authentication code according to the authentication code updating message; and sending the authentication code updating message to the first electronic equipment.
In one embodiment, the system further includes a second electronic device having control authority over the IoT device, and the second sending module 1602 is further configured to send the authentication code update message to the second electronic device.
The key agreement device provided in this embodiment is configured to execute the method corresponding to the server, so that the beneficial effects that can be achieved by the key agreement device refer to the beneficial effects in the method corresponding to the server provided above, and are not described herein again.
Referring to fig. 17, an embodiment of the present application provides a key agreement apparatus, which may be included in an IoT device, where the IoT device is applied in a system including a first electronic device and a server. The first electronic device may be the first control terminal in the above embodiment. The key agreement apparatus is used to execute the steps of the IoT device in the above embodiment. As shown in fig. 17, the key agreement apparatus may include:
a third generation module 1701 for generating a device authentication code;
a third sending module 1702, configured to send the device authentication code to the server;
a third negotiation module 1703, configured to perform key negotiation with the first electronic device according to the device authentication code, to generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device.
In one embodiment, the third generation module 1701 is specifically configured to: and generating a device authentication code when the registration information of the IoT device sent by the first electronic device is received.
In an embodiment, the third negotiation module 1703 is specifically configured to: and carrying out key agreement with the first electronic equipment based on a password authentication key exchange protocol according to the equipment authentication code to generate a first session key.
In one embodiment, the key agreement apparatus further comprises: a third updating module 1704, configured to regenerate the device authentication code when the device authentication code exceeds the first preset validity period; and sending an authentication code updating message to the server, wherein the authentication code updating message is used for indicating to update the equipment authentication code, and the authentication code updating message comprises the regenerated equipment authentication code.
In one embodiment, the third updating module 1704 is further configured to perform key agreement with the first electronic device again according to the device authentication code to generate a new first session key if the first session key exceeds the second preset validity period.
In one embodiment, the system further includes a second electronic device, where the second electronic device has a control right for the IoT device, and the third negotiation module 1703 is further configured to perform key negotiation with the second electronic device according to the device authentication code, and generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
The key agreement device provided in this embodiment is configured to execute the method corresponding to the IoT device described above, and therefore, the beneficial effects that can be achieved by the key agreement device refer to the beneficial effects in the method corresponding to the IoT device provided above, which are not described herein again.
An embodiment of the present application further provides an IoT system, including: the system comprises a first electronic device, a server and an IoT device. The first electronic device is configured to execute the method corresponding to the first control terminal in the above embodiment, the server is configured to execute the method corresponding to the server in the above embodiment, and the IoT device is configured to execute the method corresponding to the IoT device in the above embodiment. The beneficial effects of the IoT system are not described in detail herein.
The embodiment also provides an electronic device, configured to execute the key agreement method. The electronic device may be the first electronic device, the server, or the IoT device described above. The first electronic device is configured to execute the method corresponding to the first control terminal in the above embodiment, the server is configured to execute the method corresponding to the server in the above embodiment, and the IoT device is configured to execute the method corresponding to the IoT device in the above embodiment.
In case of an integrated unit, the electronic device may further comprise a processing module, a storage module and a communication module. The processing module can be used for controlling and managing the action of the electronic equipment. The memory module may be used to support the electronic device in executing stored program codes and data, etc. The communication module can be used for supporting the communication between the electronic equipment and other equipment.
The processing module may be a processor or a controller. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. A processor may also be a combination of computing functions, e.g., a combination of one or more microprocessors, a Digital Signal Processing (DSP) and a microprocessor, or the like. The storage module may be a memory. The communication module may specifically be a radio frequency circuit, a bluetooth chip, a Wi-Fi chip, or other devices that interact with other electronic devices.
In an embodiment, when the processing module is a processor and the storage module is a memory, the electronic device according to this embodiment may be a device having a structure shown in fig. 3.
An embodiment of the present application further provides a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the processor is enabled to execute the key agreement method of any one of the above embodiments.
The embodiments of the present application further provide a computer program product, which when run on a computer, causes the computer to execute the relevant steps described above, so as to implement the key agreement method in the embodiments described above.
In addition, embodiments of the present application also provide an apparatus, which may be specifically a chip, a component or a module, and may include a processor and a memory connected to each other; the memory is used for storing computer execution instructions, and when the device runs, the processor can execute the computer execution instructions stored in the memory, so that the chip can execute the key agreement method in the above-mentioned method embodiments.
The electronic device, the computer-readable storage medium, the computer program product, or the chip provided in this embodiment are all configured to execute the corresponding method provided above, so that the beneficial effects achieved by the electronic device, the computer-readable storage medium, the computer program product, or the chip may refer to the beneficial effects in the corresponding method provided above, and are not described herein again.
Through the description of the foregoing embodiments, those skilled in the art will understand that, for convenience and simplicity of description, only the division of the functional modules is used for illustration, and in practical applications, the above function distribution may be completed by different functional modules as needed, that is, the internal structure of the device may be divided into different functional modules, so as to complete all or part of the functions described above.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, a module or a unit may be divided into only one logic function, and may be implemented in other ways, for example, a plurality of units or components may be combined or integrated into another apparatus, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed to a plurality of different places. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application, or portions of the technical solutions that substantially contribute to the prior art, or all or portions of the technical solutions may be embodied in the form of a software product, where the software product is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (21)

1. A key agreement method, performed by a first electronic device applied to a system including a server and an IoT device, the first electronic device having control authority over the IoT device, the method comprising:
sending a first authentication code request message to the server; the first authentication code request message is for requesting provision of a device authentication code of the IoT device to the first electronic device; the device authentication code is generated for the IoT device and is sent to the server;
receiving the equipment authentication code sent by the server;
performing key agreement with the IoT equipment according to the equipment authentication code to generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device.
2. The method of claim 1, wherein the performing key agreement with the IoT device according to the device authentication code to generate a first session key comprises:
and performing key agreement with the IoT equipment based on a password authentication key exchange protocol according to the equipment authentication code to generate the first session key.
3. The method of claim 1 or 2, wherein the IoT device is bound to the first electronic device, wherein the system further comprises a second electronic device, and wherein the method further comprises:
sending a sharing application message to the server, wherein the sharing application message is used for requesting to share the control authority of the IoT equipment to the second electronic equipment, and the sharing application message comprises the equipment information of the IoT equipment and the equipment authentication code; the device authentication code is also used for the second electronic device to perform key agreement with the IoT device to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
4. The method according to any one of claims 1 to 3, further comprising:
receiving an authentication code updating message sent by the server; the authentication code update message is used for indicating to update the equipment authentication code, and the authentication code update message comprises the equipment authentication code which is regenerated when the equipment authentication code exceeds a first preset validity period;
and updating the equipment authentication code according to the authentication code updating message.
5. The method according to any one of claims 1 to 4, further comprising:
and under the condition that the first session key exceeds a second preset validity period, carrying out key agreement again with the IoT equipment according to the equipment authentication code to generate a new first session key.
6. A key agreement method, executed by a server applied to a system including a first electronic device and an IoT device, the first electronic device having control authority over the IoT device, the method comprising:
receiving and saving a device authentication code of the IoT device sent by the IoT device; the device authentication code is generated for the IoT device;
receiving a first authentication code request message sent by the first electronic equipment; the first authentication code request message is used for requesting to send the equipment authentication code to the first electronic equipment;
sending the device authentication code to the first electronic device in response to the first authentication code request message; the device authentication code is used for the first electronic device to perform key agreement with the IoT device to generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device.
7. The method of claim 6, wherein the IoT device is bound to the first electronic device, wherein the system further comprises a second electronic device, and wherein the method further comprises:
receiving a sharing application message sent by the first electronic device, wherein the sharing application message is used for requesting to share the control authority of the IoT device to the second electronic device, and the sharing application message comprises the device information of the IoT device and the device authentication code;
in response to the sharing application message, associating the device information and the device authentication code with information of the second electronic device, so that the second electronic device has control authority over the IoT device; the device authentication code is also used for the second electronic device to perform key agreement with the IoT device to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
8. The method of claim 7, wherein a first application of the second electronic device is logged with a first account, and wherein the first application is an application for controlling the IoT device; the associating the device information and the device authentication code with the information of the second electronic device in response to the sharing application message includes:
and responding to the sharing application message, and hanging the equipment information and the equipment authentication code under the first account.
9. The method according to claim 7 or 8, characterized in that the method further comprises:
receiving a second authentication code request message sent by the second electronic equipment; the second authentication code request message is for requesting to provide the device authentication code to the second electronic device;
and responding to the second authentication code request message, and sending the equipment authentication code to the second electronic equipment.
10. The method according to any one of claims 6 to 9, further comprising:
receiving an authentication code update message sent by the IoT device; the authentication code update message is used for indicating to update the equipment authentication code, and the authentication code update message comprises the equipment authentication code which is regenerated under the condition that the equipment authentication code exceeds a first preset validity period;
updating the equipment authentication code according to the authentication code updating message;
and sending the authentication code updating message to the first electronic equipment.
11. The method of claim 10, wherein the system further comprises a second electronic device having control rights over the IoT device, the method further comprising:
and sending the authentication code updating message to the second electronic equipment.
12. A key agreement method performed by an IoT device applied to a system including a first electronic device and a server, the first electronic device having control authority over the IoT device, the method comprising:
generating an equipment authentication code;
sending the device authentication code to the server;
according to the equipment authentication code, carrying out key agreement with the first electronic equipment to generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device.
13. The method of claim 12, wherein generating the device authentication code comprises:
generating the device authentication code upon receiving registration information of the IoT device sent by the first electronic device.
14. The method according to claim 12 or 13, wherein said performing a key agreement with the first electronic device according to the device authentication code to generate a first session key comprises:
and according to the equipment authentication code, carrying out key agreement with the first electronic equipment based on a password authentication key exchange protocol to generate the first session key.
15. The method according to any one of claims 12 to 14, further comprising:
regenerating the equipment authentication code under the condition that the equipment authentication code exceeds a first preset validity period;
and sending an authentication code update message to the server, wherein the authentication code update message is used for indicating to update the equipment authentication code, and the authentication code update message comprises the regenerated equipment authentication code.
16. The method according to any one of claims 12 to 15, further comprising:
and under the condition that the first session key exceeds a second preset validity period, carrying out key agreement with the first electronic equipment again according to the equipment authentication code to generate a new first session key.
17. The method of any of claims 12-16, wherein the system further comprises a second electronic device having control authority over the IoT device, the method further comprising:
performing key agreement with the second electronic device according to the device authentication code to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
18. An IoT system, comprising: a first electronic device, a server and an IoT device, wherein the first electronic device is configured to perform the method of any of claims 1-5, the server is configured to perform the method of any of claims 6-11, and the IoT device is configured to perform the method of any of claims 12-17.
19. An electronic device, comprising: a processor, a memory, and an interface;
the processor, the memory and the interface cooperate such that the electronic device performs the method of any one of claims 1 to 5, or such that the electronic device performs the method of any one of claims 6 to 11, or such that the electronic device performs the method of any one of claims 12 to 17.
20. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, causes the processor to carry out the method of any one of claims 1 to 5, or causes the processor to carry out the method of any one of claims 6 to 11, or causes the processor to carry out the method of any one of claims 12 to 17.
21. A computer program product, the computer program product comprising: computer program code which, when run on an electronic device, causes the electronic device to perform the method of any of claims 1 to 5, or causes the electronic device to perform the method of any of claims 6 to 11, or causes the electronic device to perform the method of any of claims 12 to 17.
CN202111538419.9A 2021-12-15 2021-12-15 Key agreement method, system, electronic device and computer readable storage medium Active CN115001667B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111538419.9A CN115001667B (en) 2021-12-15 2021-12-15 Key agreement method, system, electronic device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111538419.9A CN115001667B (en) 2021-12-15 2021-12-15 Key agreement method, system, electronic device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN115001667A true CN115001667A (en) 2022-09-02
CN115001667B CN115001667B (en) 2023-05-26

Family

ID=83018863

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111538419.9A Active CN115001667B (en) 2021-12-15 2021-12-15 Key agreement method, system, electronic device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN115001667B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101123501A (en) * 2006-08-08 2008-02-13 西安电子科技大学 A WAPI authentication and secret key negotiation method and system
CN101340443A (en) * 2008-08-28 2009-01-07 中国电信股份有限公司 Session key negotiating method, system and server in communication network
CN106656984A (en) * 2016-10-31 2017-05-10 美的智慧家居科技有限公司 Safe control method and system of equipment in local area network and apparatus
CN108632393A (en) * 2018-07-30 2018-10-09 郑州信大捷安信息技术股份有限公司 Safe communication system and method
CN110933672A (en) * 2019-11-29 2020-03-27 华为技术有限公司 Key negotiation method and electronic equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101123501A (en) * 2006-08-08 2008-02-13 西安电子科技大学 A WAPI authentication and secret key negotiation method and system
CN101340443A (en) * 2008-08-28 2009-01-07 中国电信股份有限公司 Session key negotiating method, system and server in communication network
CN106656984A (en) * 2016-10-31 2017-05-10 美的智慧家居科技有限公司 Safe control method and system of equipment in local area network and apparatus
CN108632393A (en) * 2018-07-30 2018-10-09 郑州信大捷安信息技术股份有限公司 Safe communication system and method
CN110933672A (en) * 2019-11-29 2020-03-27 华为技术有限公司 Key negotiation method and electronic equipment

Also Published As

Publication number Publication date
CN115001667B (en) 2023-05-26

Similar Documents

Publication Publication Date Title
CN111466099B (en) Login method, token sending method, device and storage medium
CN112987581B (en) Control method for intelligent household equipment, medium and terminal thereof
WO2021147745A1 (en) Bluetooth connection method, system, and electronic device
US8977856B2 (en) Methods and apparatus for use in sharing credentials amongst a plurality of mobile communication devices
EP3069255B1 (en) Method and apparatus for connecting communication of electronic devices
CN111373713B (en) Message transmission method and device
CN115174043B (en) Method for sharing equipment and electronic equipment
WO2021093855A1 (en) Mobile device management method and device
CN114844657B (en) Website login method, communication system and electronic equipment
WO2022143031A1 (en) Identity authentication method, electronic device, and computer readable storage medium
JP2009075688A (en) Program and method for managing information related with location of mobile device and cryptographic key for file
CN116056184B (en) Network access method, system, electronic equipment and storage medium
KR20180012658A (en) Apparatus and method for providing v2x service based on proximity-based service direct communication
CN115001667B (en) Key agreement method, system, electronic device and computer readable storage medium
CN114205822B (en) IoT device and authorization method thereof
CN116340913A (en) Login method, electronic equipment and computer readable storage medium
WO2023169545A1 (en) Offline device control method and related apparatus
US20230101005A1 (en) Quick response codes for data transfer
CN116743357B (en) Key storage method and device
CN118114284A (en) Access control method, system, transmitting terminal equipment and receiving terminal equipment
CN116782186A (en) Offline equipment control method and related device
EP2704390B1 (en) Methods and apparatus for use in sharing credentials amongst a plurality of mobile communication devices
CN117641307A (en) Method for searching terminal, terminal and system
CN114844974A (en) Method for sharing address book, mobile device, electronic device and communication system
CN117332398A (en) Method, device and system for issuing device certificate

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant