CN115001667B - Key agreement method, system, electronic device and computer readable storage medium - Google Patents

Key agreement method, system, electronic device and computer readable storage medium Download PDF

Info

Publication number
CN115001667B
CN115001667B CN202111538419.9A CN202111538419A CN115001667B CN 115001667 B CN115001667 B CN 115001667B CN 202111538419 A CN202111538419 A CN 202111538419A CN 115001667 B CN115001667 B CN 115001667B
Authority
CN
China
Prior art keywords
authentication code
electronic device
iot device
iot
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111538419.9A
Other languages
Chinese (zh)
Other versions
CN115001667A (en
Inventor
李龙
梁冲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Honor Device Co Ltd
Original Assignee
Honor Device Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Honor Device Co Ltd filed Critical Honor Device Co Ltd
Priority to CN202111538419.9A priority Critical patent/CN115001667B/en
Publication of CN115001667A publication Critical patent/CN115001667A/en
Application granted granted Critical
Publication of CN115001667B publication Critical patent/CN115001667B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Abstract

The embodiment of the application relates to the field of Internet of things and provides a key negotiation method, a system, electronic equipment and a computer readable storage medium. The key agreement method is performed by a first electronic device, the first electronic device being applied to a system comprising a server and an IoT device, the first electronic device having control rights to the IoT device. The method comprises the following steps: sending a first authentication code request message to a server; the first authentication code request message is to request provision of a device authentication code of the IoT device to the first electronic device; the device authentication code is generated for the IoT device and sent to the server; receiving an equipment authentication code sent by a server; performing key negotiation with the IoT device according to the device authentication code to generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device. The method provided by the embodiment of the application can improve the security of data transmission between the first electronic device and the IoT device.

Description

Key agreement method, system, electronic device and computer readable storage medium
Technical Field
The present application relates to the field of internet of things, and in particular, to a key negotiation method, a system, an electronic device, and a computer readable storage medium.
Background
With the rapid development of internet of things (internet of things, ioT) technology, ioT devices are becoming increasingly popular for use in people's lives. Generally, ioT devices are controlled by a control terminal. Specifically, the control terminal may communicate with the IoT device through the cloud server, the control terminal sends a control instruction to the cloud server, the cloud server forwards the control instruction to the IoT device, and the IoT device receives and executes the control instruction.
In order to ensure the safety of communication, encryption is needed in the transmission process of the control instruction. In the related art, the encryption and transmission process of the control instruction is as follows: the control terminal encrypts the plaintext control instruction based on an encryption protocol A between the control terminal and the cloud server to generate a ciphertext control instruction a. And the control terminal uploads the ciphertext control instruction a to the cloud server. And the cloud server decrypts the ciphertext control instruction a based on the encryption protocol A to generate a plaintext control instruction. Then, the cloud service encrypts the plaintext control instruction based on the encryption protocol B with the IoT device to generate the ciphertext control instruction B. And the cloud server sends the ciphertext control instruction B to the IoT device, and the IoT device decrypts the ciphertext control instruction B based on the encryption protocol B to obtain a plaintext control instruction.
However, the above-described transmission process of the control instruction has a problem of poor security.
Disclosure of Invention
The application provides a key agreement method, a system, an electronic device and a computer readable storage medium, which can improve the security of a data transmission process between the electronic device and an IoT device.
In a first aspect, the present application provides a key agreement method performed by a first electronic device, the first electronic device being applied to a system comprising a server and an IoT device, the first electronic device having control rights to the IoT device, the method comprising:
sending a first authentication code request message to a server; the first authentication code request message is to request provision of a device authentication code of the IoT device to the first electronic device; the device authentication code is generated for the IoT device and sent to the server; receiving an equipment authentication code sent by a server; performing key negotiation with the IoT device according to the device authentication code to generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device.
Optionally, in a possible implementation manner, the first electronic device may be an electronic device (such as a first control terminal in a specific embodiment) that the sharing person logs in. The first electronic device may be installed with a first Application (APP). A second account (corresponding to APP account 1 in the specific embodiment) may be logged into the first APP of the first electronic device. The first electronic device may interact with the server and the IoT device through the first APP. Optionally, the first authentication code request message may carry information such as APP account 1 and a device account of the IoT device.
Alternatively, in another possible implementation manner, the first electronic device may also be an electronic device (such as a second control terminal in the specific embodiment) that may also be logged in by the shared person.
The device authentication code is used for key agreement. Optionally, the device authentication code may be generated by the IoT device during the device authentication process.
According to the key negotiation method provided by the first aspect, the first electronic device requests the device authentication code of the IoT device from the server, the device authentication code is generated by the IoT device, and the IoT device also holds the device authentication code, so that the first electronic device can conduct key negotiation with the device authentication code of the IoT device to generate a first session key which can only be known to each other, end-to-end encryption of the first electronic device and the IoT device is achieved, a third party cannot analyze data (e.g., control instructions) transmitted between the first electronic device and the IoT device, safety of data transmission between the first electronic device and the IoT device is improved, and user experience is improved. In another aspect, in this implementation, a device authentication code is generated by an IoT device and sent to a server for storage by the server. When the first electronic device needs to transmit data with the IoT device, the first electronic device obtains the device authentication code from the server. At the same time, the IoT device is generated by the IoT device, which also holds the device authentication code. In the above process, the first electronic device and the IoT device do not need to participate in the process of obtaining the device authentication code, so that the user can realize encryption without perception, and the user experience is further improved.
In one possible implementation, performing key agreement with an IoT device according to a device authentication code to generate a first session key, comprising:
according to the device authentication code, a first session key is generated based on a password authentication key exchange (password-authenticated key exchange, PAKE) protocol for key agreement with the IoT device.
In one possible implementation, the IoT device is bound to a first electronic device, the system further comprising a second electronic device, the method further comprising:
sending a sharing application message to a server, wherein the sharing application message is used for requesting to share the control authority of the IoT device to the second electronic device, and the sharing application message comprises the device information and the device authentication code of the IoT device; the device authentication code is further used for performing key negotiation between the second electronic device and the IoT device to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
The IoT device is bound to the first electronic device, i.e., the IoT device has sharing rights to the first electronic device.
Optionally, the second electronic device may be a second control terminal in a specific embodiment. The second electronic device may be installed with a first APP. A first account (corresponding to APP account 2 in the specific embodiment) may be logged into the first APP of the second electronic device. The second electronic device may interact with the server and the IoT device through the first APP.
Optionally, the sharing application message may carry information about an account (i.e. APP account 1) registered in the first APP of the first electronic device, information about a device account of the IoT device, information about an account (i.e. APP account 2) registered in the first APP of the second electronic device, and so on.
In the implementation manner, the sharing application message is sent to the server, the equipment information of the IoT equipment is shared to the second electronic equipment, and the equipment authentication code is shared to the second electronic equipment, so that the second electronic equipment and the IoT equipment can carry out key negotiation based on the equipment authentication code to generate second session keys which can be obtained only by each other, end-to-end encryption of the second electronic equipment and the IoT equipment is realized, a third party cannot analyze data transmitted between the second electronic equipment and the IoT equipment, the security of direct data transmission of the second electronic equipment and the IoT equipment in the equipment sharing scene is improved, and therefore user experience is improved.
In a possible implementation manner, the method further includes:
receiving an authentication code update message sent by a server; the authentication code update message is used for indicating to update the equipment authentication code, and the equipment authentication code regenerated under the condition that the equipment authentication code exceeds a first preset validity period is included in the authentication code update message; the device authentication code is updated in accordance with the authentication code update message.
Optionally, the IoT device may set a validity period for the device authentication code (e.g., the validity period may be 90 days). When the device authentication code exceeds the expiration date, the IoT device regenerates the device authentication code and will send an authentication code update message to the server. The server updates the saved equipment authentication code according to the authentication code updating message, and sends the authentication code updating message to the first electronic equipment, and the first electronic equipment updates the equipment authentication code according to the authentication code updating message.
In the implementation manner, the security of the device authentication code can be improved through updating the device authentication code, and the risk of stealing the device authentication code is reduced, so that the security of the first session key obtained by negotiation of the first electronic device and the IoT device according to the device authentication code is higher, the security of data transmission between the first electronic device and the IoT device is further improved, and the user experience is improved.
In a possible implementation manner, the method further includes:
and re-performing key negotiation with the IoT device according to the device authentication code to generate a new first session key if the first session key exceeds the second preset validity period.
Alternatively, the first electronic device and IoT device may set a validity period (e.g., may be 7 days) for the first session key. During the validity period, the first electronic device and the IoT device encrypt and decrypt with the first session key. When the first session key exceeds the set validity period, the first electronic device and the IoT device may regenerate the session key based on the device authentication code, thereby further improving security of the first session key, and further improving security of data transmission between the first electronic device and the IoT device.
In a second aspect, the present application provides a key agreement method performed by a server applied to a system including a first electronic device and an IoT device, the first electronic device having control rights to the IoT device, the method comprising:
receiving and storing an equipment authentication code of an internet of things (IoT) device sent by the IoT device; the device authentication code is generated for the IoT device; receiving a first authentication code request message sent by first electronic equipment; the first authentication code request message is used for requesting to send a device authentication code to the first electronic device; transmitting a device authentication code to the first electronic device in response to the first authentication code request message; the device authentication code is used for performing key negotiation between the first electronic device and the IoT device to generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device.
Advantageous effects of the key agreement method provided in the second aspect are similar to those of the key agreement method provided in the first aspect, and are not described in detail herein.
In one possible implementation, the IoT device is bound to a first electronic device, the system further comprising a second electronic device, the method further comprising:
Receiving a sharing application message sent by a first electronic device, wherein the sharing application message is used for requesting to share control authority of an IoT device to a second electronic device, and the sharing application message comprises device information and a device authentication code of the IoT device; in response to the sharing application message, associating the device information and the device authentication code with information of the second electronic device such that the second electronic device has control authority over the IoT device; the device authentication code is further used for performing key negotiation between the second electronic device and the IoT device to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
In this implementation manner, in the device sharing stage, the server associates the device authentication code of the IoT device with the APP account 2 registered by the first APP of the second electronic device, that is, shares the device authentication code, so that when data needs to be transmitted between the second electronic device and the IoT device, the second electronic device can acquire the device authentication code from the server. At the same time, the device authentication code is generated by the IoT device, which holds the device authentication code. In the above process, the second electronic device and the IoT device do not need to participate in the process of acquiring the device authentication code, so that the user does not have to perceive encryption, and the user experience is further improved. In addition, in the implementation manner, in the device sharing stage, the first electronic device sends a sharing message to the server, and the server responds to the sharing application message to associate the device information and the device authentication code with the information of the second electronic device. The whole sharing process only needs to interact between the equipment (the first electronic equipment) corresponding to the sharing person and the server, the shared person and the equipment to be shared are not required to be on line, the sharing process is simple and quick, and the quick sharing of the IoT equipment can be realized.
In one possible implementation, a first application of the second electronic device logs in with a first account, the first application being an application for controlling the IoT device; in response to the sharing application message, associating the device information and the device authentication code with information of the second electronic device, including:
and responding to the sharing application message, and downloading the device information and the device authentication code to the first account.
In a possible implementation manner, the method further includes:
receiving a second authentication code request message sent by second electronic equipment; the second authentication code request message is used for requesting to provide the second electronic device with the device authentication code; in response to the second authentication code request message, a device authentication code is sent to the second electronic device.
Advantageous effects of the method in this implementation manner refer to the first aspect described above, and are not described here again.
In a possible implementation manner, the method further includes:
receiving an authentication code update message sent by an IoT device; the authentication code update message is used for indicating to update the equipment authentication code, and the equipment authentication code regenerated under the condition that the equipment authentication code exceeds a first preset validity period is included in the authentication code update message; updating the device authentication code according to the authentication code update message; an authentication code update message is sent to the first electronic device.
The beneficial effects of the method in this implementation manner refer to the key negotiation method of the first aspect, which is not described herein.
In a possible implementation, the system further includes a second electronic device having control authority over the IoT device, the method further comprising:
an authentication code update message is sent to the second electronic device.
In the implementation manner, the authentication code update message is sent to the second electronic device, so that the second electronic device can update the device authentication code, the security of the device authentication code in the second electronic device is improved, the risk of the device authentication code being stolen is reduced, the security of the second session key obtained by negotiation of the second electronic device and the IoT device according to the device authentication code is higher, the security of data transmission between the second electronic device and the IoT device is further improved, and the user experience is improved.
In a third aspect, the present application provides a key agreement method performed by an IoT device, the IoT device applied to a system comprising a first electronic device and a server, the first electronic device having control rights to the IoT device, the method comprising:
generating a device authentication code; transmitting the device authentication code to a server; according to the equipment authentication code, carrying out key negotiation with the first electronic equipment to generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device.
Advantageous effects of the method in this implementation are referred to the key negotiation methods of the first aspect and the second aspect, and are not described here again.
In a possible implementation, generating a device authentication code includes:
upon receiving registration information of an IoT device transmitted by a first electronic device, a device authentication code is generated.
In the implementation manner, the device authentication code is generated under the condition that the registration information of the IoT device sent by the first electronic device is received, namely, the device authentication code is generated in the device authentication stage of the IoT device, so that the IoT device can conveniently send the device authentication code and the device registration information to the server, the server can conveniently correlate and manage the device authentication code and the related information of the IoT device, and the device authentication code generation and management efficiency is improved.
In one possible implementation, performing key agreement with a first electronic device according to a device authentication code to generate a first session key, including:
and according to the equipment authentication code, carrying out key negotiation with the first electronic equipment based on a password authentication key exchange protocol to generate a first session key.
The beneficial effects of the method in this implementation manner refer to the key negotiation method of the first aspect, which is not described herein.
In a possible implementation manner, the method further includes:
regenerating the device authentication code if the device authentication code exceeds a first preset validity period; and sending an authentication code update message to the server, wherein the authentication code update message is used for indicating updating of the equipment authentication code, and the authentication code update message comprises the regenerated equipment authentication code.
Advantageous effects of the method in this implementation are referred to the key negotiation methods of the first aspect and the second aspect, and are not described here again.
In a possible implementation manner, the method further includes:
and under the condition that the first session key exceeds the second preset validity period, re-carrying out key negotiation with the first electronic equipment according to the equipment authentication code to generate a new first session key.
The beneficial effects of the method in this implementation manner refer to the key negotiation method of the first aspect, which is not described herein.
In a possible implementation, the system further includes a second electronic device having control authority over the IoT device, the method further comprising:
according to the equipment authentication code, performing key negotiation with the second electronic equipment to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
Advantageous effects of the method in this implementation are referred to the key negotiation methods of the first aspect and the second aspect, and are not described here again.
In a fourth aspect, the present application provides an apparatus, which is included in a first electronic device, and which has a function of implementing the electronic device behavior in the first aspect and possible implementations of the first aspect. The functions may be realized by hardware, or may be realized by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the functions described above. Such as a receiving module or unit, a processing module or unit, etc.
In a fifth aspect, the present application provides an apparatus, which is included in a server, and which has a function of implementing the electronic device behavior in the second aspect and possible implementations of the second aspect. The functions may be realized by hardware, or may be realized by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the functions described above. Such as a receiving module or unit, a processing module or unit, etc.
In a sixth aspect, the present application provides an apparatus, included in an IoT device, having functionality to implement the above third aspect and possible implementations of the above third aspect, the electronic device behavior. The functions may be realized by hardware, or may be realized by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the functions described above. Such as a receiving module or unit, a processing module or unit, etc.
In a seventh aspect, the present application provides an IoT system comprising: the IoT device comprises a first electronic device, a server and an IoT device, wherein the first electronic device is used for executing any one of the methods in the technical solutions of the first aspect, the server is used for executing any one of the methods in the technical solutions of the second aspect, and the IoT device is used for executing any one of the methods in the technical solutions of the third aspect.
In an eighth aspect, the present application provides an electronic device, including: a processor, a memory, and an interface; the processor, the memory and the interface cooperate with each other to enable the electronic device to execute any one of the methods in the technical solutions of the first aspect, or enable the electronic device to execute any one of the methods in the technical solutions of the second aspect, or enable the electronic device to execute any one of the methods in the technical solutions of the third aspect.
In a ninth aspect, the present application provides a chip comprising a processor. The processor is configured to read and execute a computer program stored in the memory to perform the method of the first aspect and any of its possible implementations, or to perform the method of the second aspect and any of its possible implementations, or to perform the method of the third aspect and any of its possible implementations.
Optionally, the chip further comprises a memory, and the memory is connected with the processor through a circuit or a wire.
Further optionally, the chip further comprises a communication interface.
In a tenth aspect, the present application provides a computer readable storage medium, in which a computer program is stored, which when executed by a processor causes the processor to perform any one of the methods of the first aspect, or to perform the method of the second aspect and any possible implementation thereof, or to perform the method of the third aspect and any possible implementation thereof.
In an eleventh aspect, the present application provides a computer program product comprising: computer program code which, when run on an electronic device, causes the electronic device to perform any one of the methods of the technical solutions of the first aspect, or to perform the method of the second aspect and any possible implementation thereof, or to perform the method of the third aspect and any possible implementation thereof.
Advantageous effects of the fourth to eleventh aspects are described with reference to advantageous effects of the key agreement methods of the first, second and third aspects, and are not described in detail herein.
Drawings
Fig. 1 is a schematic diagram of encryption principle in a process of a control terminal sending a control instruction to an IoT device in the related art;
fig. 2 is a schematic structural diagram of an IoT system to which the key negotiation method according to the embodiment of the present application is applicable;
fig. 3 is a schematic structural diagram of an example of an electronic device according to an embodiment of the present application;
fig. 4 is a flowchart of an exemplary key negotiation method according to an embodiment of the present application;
FIG. 5 is a schematic diagram illustrating a data flow during a device registration phase according to an embodiment of the present disclosure;
FIG. 6 is a schematic diagram illustrating a data flow of an exemplary key negotiation stage according to an embodiment of the present application;
FIG. 7 is a schematic diagram illustrating a data flow during an apparatus control phase according to an embodiment of the present disclosure;
fig. 8 is an interface change schematic diagram of an example of a process of sharing IoT devices by a mobile phone a according to an embodiment of the present application;
fig. 9 is a schematic diagram of an interface for receiving sharing by a mobile phone B according to an embodiment of the present application;
fig. 10 is a flowchart of another key negotiation method according to an embodiment of the present application;
FIG. 11 is a schematic diagram illustrating a data flow during an apparatus sharing stage according to an embodiment of the present disclosure;
FIG. 12 is a schematic diagram of a data flow of another key agreement phase provided by an embodiment of the present application;
FIG. 13 is a schematic diagram of a data flow during another device control phase provided in an embodiment of the present application;
fig. 14 is a flowchart of another key negotiation method according to an embodiment of the present application;
fig. 15 is a schematic structural diagram of an exemplary key negotiation apparatus according to an embodiment of the present application;
fig. 16 is a schematic structural diagram of another key negotiation apparatus according to an embodiment of the present application;
fig. 17 is a schematic structural diagram of another key negotiation apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. Wherein, in the description of the embodiments of the present application, "/" means or is meant unless otherwise indicated, for example, a/B may represent a or B; "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, in the description of the embodiments of the present application, "plurality" means two or more than two.
The terms "first," "second," "third," and the like, are used below for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first", "a second", or a third "may explicitly or implicitly include one or more such feature.
Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more, but not all, embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
For a better understanding of the embodiments of the present application, terms or concepts that may be referred to in the embodiments are explained below.
IoT devices: physical objects in IoT networks. In the embodiment of the application, the IoT device may be an intelligent home device, for example, an intelligent sound box, an intelligent desk lamp, an intelligent air conditioner, an intelligent refrigerator, an intelligent door lock, an intelligent curtain, or the like. In addition, the IoT device may also be an intelligent device such as an in-vehicle device, a wearable device, an Augmented Reality (AR)/Virtual Reality (VR) device, and the specific type of the IoT device is not limited in the embodiments of the present application.
And (3) a control terminal: the control terminal refers to a terminal installed with an Application (APP) that controls IoT devices, including, but not limited to, cell phones, tablet computers, wearable devices, notebook computers, ultra-mobile personal computer (UMPC), netbooks, personal digital assistants (personal digital assistant, PDA), and the like. The APP controlling the IoT device may be, for example, smart life, smart space, etc.
Cloud server: also known as IoT clouds, smart home clouds, cloud platforms, cloud or device clouds, and the like. The cloud server is used to store relevant data for IoT devices, or to control forwarding transmissions of data (e.g., control instructions) between the terminal and the IoT devices, etc.
APP account: the user registers in the APP controlling the IoT device, information characterizing the user identity. The APP account is also referred to as APP account information, APP user information, or APP user identity (user identity document, user ID).
Device authentication code of IoT device: generated by IoT devices for key agreement. The device authentication code may be randomly generated for the IoT device or a string generated according to a preset rule. The device authentication codes generated by different IoT devices are different, and each time the same IoT device generates a device authentication code is different.
Registration information of IoT devices: information required by IoT devices when the devices register. The registration information of the IoT device may include registrant identity information of the IoT device, an activation code of the IoT device, and the like.
Registrar identity information for IoT devices: i.e., register identity document, regID for short, is used to characterize the unique identity of IoT devices at the device registration stage.
Activation code of IoT device: i.e., active code, for registration activation of IoT devices in the device registration phase.
Device account of IoT device: a device identity (device identity document, simply devID), also referred to as IoT device, for characterizing the unique identity of the IoT device.
Login password of IoT device: information for verifying identity when an IoT device logs into a device account. The device account of one IoT device corresponds to one login password.
And (3) sharing equipment: also known as IoT device sharing, sharing device or sharing device, etc. A certain APP account logged in a control terminal having control rights for a certain IoT device is bound to the IoT device. The control terminal shares the control authority of the IoT device to another control terminal logged in with other APP accounts, so that the other control terminal also has the control authority of the IoT device, and this process is called IoT device sharing, which is called device sharing for short.
Sharing person: the method is also called active sharer or device sharer, and refers to an APP account logged in a control terminal for sharing the control authority of an IoT device to other control terminals. For example, when the control terminal a logs in to the APP account 1, and the control terminal a shares the control authority of the IoT device a to the control terminal B logging in to the APP account 2, the APP account a is a sharer.
The shared person: the APP account registered in the control terminal which is shared by the devices of other control terminals is also called a passive sharer. As in the example above, APP account B is the sharee.
Fig. 1 is a schematic diagram illustrating encryption principle in a process of a control terminal sending a control instruction to an IoT device in the related art. As shown in fig. 1, the control terminal 101 includes a first encryption module 111, and the cloud server 200 includes a first decryption module 221 and a second encryption module 222.IoT device 300 includes a second decryption module 331. Encryption and decryption are performed between the control terminal 101 and the cloud server 200 based on the encryption protocol a. Encryption and decryption between the cloud server 200 and IoT devices 300 is based on encryption protocol B.
When the control terminal 101 needs to send a control instruction to the IoT device 300, the first encryption module 111 of the control terminal 101 encrypts the plaintext control instruction based on the encryption protocol a, and generates the ciphertext control instruction a. The first encryption module 111 sends the first ciphertext control instruction to the first decryption module 221 of the cloud server 200. The first decryption module 221 decrypts the ciphertext control instruction a based on the first encryption protocol, resulting in a plaintext control instruction. The first decryption module 221 sends the plaintext control instruction to the second encryption module 222. The second encryption module 222 encrypts the plaintext control instructions based on the encryption protocol B to obtain ciphertext control instructions B. The second encryption module 222 sends the ciphertext control instruction b to the second decryption module 331 of the IoT device 300. The second decryption module 331 decrypts the ciphertext control instruction B based on the encryption protocol B, to obtain the plaintext control instruction.
As can be seen from the above procedure, the first ciphertext control instruction is transmitted from the control terminal 101 to the IoT device 300, and needs to be decrypted by the cloud server 200, and the cloud server 200 can obtain the plaintext control instruction. That is, in the transmission process of the first ciphertext control instruction, a third party (cloud server) parses the ciphertext control instruction a, so that the transmission of the control instruction between the control terminal 101 and the IoT device 300 is not secure enough.
The embodiment of the application provides a key negotiation method, which can realize end-to-end encryption of a control terminal and an internet traffic (IoT) device, prevent a control instruction from being analyzed by a third party and improve the safety of control instruction transmission. In addition, the key negotiation method provided by the embodiment of the invention can be applied to the sharing process of the IoT device, so that the security of the transmission of the control instruction of the control terminal where the sharer is located can be improved, and the security of the transmission of the control instruction of the terminal device where the sharer is located can also be improved. The key negotiation method provided in the present application is described below with reference to an embodiment.
For easy understanding, before explaining the key negotiation method provided in the embodiment of the present application, first, a system and an electronic device structure to which the key negotiation method provided in the embodiment of the present application is applicable are explained.
Fig. 2 is a schematic structural diagram of an IoT system to which the key negotiation method according to the embodiment of the present application is applicable. As shown in fig. 2, the IoT system may include a first control terminal 210, an IoT device 220, a second control terminal 230, and a server 240. The first control terminal 210, ioT device 220, and second control terminal 230 are respectively network-connected to a server 240. Meanwhile, the first control terminal 210 and the IoT device 220 may be connected through proximity field communication, such as wireless fidelity (wireless fidelity, wi-Fi), bluetooth (BT), peer-to-peer (P2P), and the like. The second control terminal 230 and the IoT device 220 may also be connected via near field communication.
The first control terminal 210 and the second control terminal 230 each have an APP (hereinafter referred to as a first APP) for controlling IoT devices installed therein. Server 240 is a management server for the first APP. Alternatively, the server 240 may be a cloud server. The first control terminal 210 logs in APP account 1 in the first APP it installs; the second control terminal 220 logs in APP account 2 in its installed first APP. APP account 1 logged in the first APP of the first control terminal 210 may bind to the IoT device 220 (also referred to as the first control terminal 210 binding with the IoT device 220). The server may manage APP account 1, APP account 2, and the account of the IoT device, among others. It should be noted that, in the embodiment of the present application, the interactions between the first control terminal 210 and the second control terminal 230 and the server 240 are all performed by the first APP. At the same time, interactions between the first control terminal 210 and the second control terminal 230 and the IoT device 220 are also performed through the first APP.
Alternatively, the first control terminal 210 and the second control terminal 230 may be the same type of device or different types of devices. For example, the first control terminal 210 may be a mobile phone, and the second control terminal 230 may be a tablet computer. The following embodiments are described taking the first control terminal 210 and the second control terminal 230 as mobile phones as examples.
Fig. 3 is a schematic structural diagram of a first control terminal 210 and a second control terminal 230 (hereinafter, collectively referred to as an electronic device 100) according to an embodiment of the present application. The electronic device 100 may include a processor 110, an external memory interface 120, an internal memory 121, a universal serial bus (universal serial bus, USB) interface 130, a charge management module 140, a power management module 141, a battery 142, an antenna 1, an antenna 2, a mobile communication module 150, a wireless communication module 160, an audio module 170, a speaker 170A, a receiver 170B, a microphone 170C, an earphone interface 170D, a sensor module 180, keys 190, a motor 191, an indicator 192, a camera 193, a display 194, and a subscriber identity module (subscriber identification module, SIM) card interface 195, etc. The sensor module 180 may include a pressure sensor 180A, a gyro sensor 180B, an air pressure sensor 180C, a magnetic sensor 180D, an acceleration sensor 180E, a distance sensor 180F, a proximity sensor 180G, a fingerprint sensor 180H, a temperature sensor 180J, a touch sensor 180K, an ambient light sensor 180L, a bone conduction sensor 180M, and the like.
It is to be understood that the structure illustrated in the embodiments of the present application does not constitute a specific limitation on the electronic device 100. In other embodiments of the present application, electronic device 100 may include more or fewer components than shown, or certain components may be combined, or certain components may be split, or different arrangements of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
The processor 110 may include one or more processing units, such as: the processor 110 may include an application processor (application processor, AP), a modem processor, a graphics processor (graphics processing unit, GPU), an image signal processor (image signal processor, ISP), a controller, a memory, a video codec, a digital signal processor (digital signal processor, DSP), a baseband processor, and/or a neural network processor (neural-network processing unit, NPU), etc. Wherein the different processing units may be separate devices or may be integrated in one or more processors.
The controller may be a neural hub and a command center of the electronic device 100, among others. The controller can generate operation control signals according to the instruction operation codes and the time sequence signals to finish the control of instruction fetching and instruction execution.
A memory may also be provided in the processor 110 for storing instructions and data. In some embodiments, the memory in the processor 110 is a cache memory. The memory may hold instructions or data that the processor 110 has just used or recycled. If the processor 110 needs to reuse the instruction or data, it may be called directly from memory. Repeated accesses are avoided and the latency of the processor 110 is reduced, thereby improving the efficiency of the system.
In some embodiments, the processor 110 may include one or more interfaces. The interfaces may include an integrated circuit (inter-integrated circuit, I2C) interface, an integrated circuit built-in audio (inter-integrated circuit sound, I2S) interface, a pulse code modulation (pulse code modulation, PCM) interface, a universal asynchronous receiver transmitter (universal asynchronous receiver/transmitter, UART) interface, a mobile industry processor interface (mobile industry processor interface, MIPI), a general-purpose input/output (GPIO) interface, a subscriber identity module (subscriber identity module, SIM) interface, and/or a universal serial bus (universal serial bus, USB) interface, among others.
It should be understood that the interfacing relationship between the modules illustrated in the embodiments of the present application is only illustrative, and does not limit the structure of the electronic device 100. In other embodiments of the present application, the electronic device 100 may also use different interfacing manners, or a combination of multiple interfacing manners in the foregoing embodiments.
The wireless communication function of the electronic device 100 may be implemented by the antenna 1, the antenna 2, the mobile communication module 150, the wireless communication module 160, a modem processor, a baseband processor, and the like.
The antennas 1 and 2 are used for transmitting and receiving electromagnetic wave signals. The structures of the antennas 1 and 2 in fig. 3 are only one example. Each antenna in the electronic device 100 may be used to cover a single or multiple communication bands. Different antennas may also be multiplexed to improve the utilization of the antennas. For example: the antenna 1 may be multiplexed into a diversity antenna of a wireless local area network. In other embodiments, the antenna may be used in conjunction with a tuning switch.
The mobile communication module 150 may provide a solution for wireless communication including 2G/3G/4G/5G, etc., applied to the electronic device 100. The mobile communication module 150 may include at least one filter, switch, power amplifier, low noise amplifier (low noise amplifier, LNA), etc. The mobile communication module 150 may receive electromagnetic waves from the antenna 1, perform processes such as filtering, amplifying, and the like on the received electromagnetic waves, and transmit the processed electromagnetic waves to the modem processor for demodulation. The mobile communication module 150 can amplify the signal modulated by the modem processor, and convert the signal into electromagnetic waves through the antenna 1 to radiate. In some embodiments, at least some of the functional modules of the mobile communication module 150 may be disposed in the processor 110. In some embodiments, at least some of the functional modules of the mobile communication module 150 may be provided in the same device as at least some of the modules of the processor 110.
The wireless communication module 160 may provide solutions for wireless communication including wireless local area network (wireless local area networks, WLAN) (e.g., wireless fidelity (wireless fidelity, wi-Fi) network), bluetooth (BT), global navigation satellite system (global navigation satellite system, GNSS), frequency modulation (frequency modulation, FM), near field wireless communication technology (near field communication, NFC), infrared technology (IR), etc., as applied to the electronic device 100. The wireless communication module 160 may be one or more devices that integrate at least one communication processing module. The wireless communication module 160 receives electromagnetic waves via the antenna 2, modulates the electromagnetic wave signals, filters the electromagnetic wave signals, and transmits the processed signals to the processor 110. The wireless communication module 160 may also receive a signal to be transmitted from the processor 110, frequency modulate it, amplify it, and convert it to electromagnetic waves for radiation via the antenna 2.
In some embodiments, antenna 1 and mobile communication module 150 of electronic device 100 are coupled, and antenna 2 and wireless communication module 160 are coupled, such that electronic device 100 may communicate with a network and other devices through wireless communication techniques. Wireless communication techniques may include global system for mobile communications (global system for mobile communications, GSM), general packet radio service (general packet radio service, GPRS), code division multiple access (code division multiple access, CDMA), wideband code division multiple access (wideband code division multiple access, WCDMA), time division code division multiple access (time-division code division multiple access, TD-SCDMA), long term evolution (long term evolution, LTE), BT, GNSS, WLAN, NFC, FM, and/or IR techniques, among others. The GNSS may include a global satellite positioning system (global positioning system, GPS), a global navigation satellite system (global navigation satellite system, GLONASS), a beidou satellite navigation system (beidou navigation satellite system, BDS), a quasi zenith satellite system (quasi-zenith satellite system, QZSS) and/or a satellite based augmentation system (satellite based augmentation systems, SBAS).
The electronic device 100 implements display functions through a GPU, a display screen 194, an application processor, and the like. The GPU is a microprocessor for image processing, and is connected to the display 194 and the application processor. The GPU is used to perform mathematical and geometric calculations for graphics rendering. Processor 110 may include one or more GPUs that execute program instructions to generate or change display information.
The display screen 194 is used to display images, videos, and the like. The display 194 includes a display panel. The display panel may employ a liquid crystal display (liquid crystal display, LCD), an organic light-emitting diode (OLED), an active-matrix organic light-emitting diode (AMOLED) or an active-matrix organic light-emitting diode (matrix organic light emitting diode), a flexible light-emitting diode (flex), a mini, a Micro led, a Micro-OLED, a quantum dot light-emitting diode (quantum dot light emitting diodes, QLED), or the like. In some embodiments, the electronic device 100 may include 1 or N display screens 194, N being a positive integer greater than 1.
The touch sensor 180K, also referred to as a "touch panel". The touch sensor 180K may be disposed on the display screen 194, and the touch sensor 180K and the display screen 194 form a touch screen, which is also called a "touch screen". The touch sensor 180K is for detecting a touch operation acting thereon or thereabout. The touch sensor may communicate the detected touch operation to the application processor to determine the touch event type. Visual output related to touch operations may be provided through the display 194. In other embodiments, the touch sensor 180K may also be disposed on the surface of the electronic device 100 at a different location than the display 194.
The key negotiation method provided in the embodiment of the present application is described in detail below with reference to the accompanying drawings and application scenarios. For ease of understanding, in the following embodiments, the first control terminal is taken as a mobile phone a, the second control terminal is taken as a mobile phone B, the IoT device is taken as an IoT device C, and the server is taken as a cloud server for illustration. Wherein, all install first APP in cell-phone A and the cell-phone B, first APP in the cell-phone A logs in and has APP account 1, and first APP in the cell-phone B logs in and has APP account 2.
Fig. 4 is a schematic flow chart of an exemplary key negotiation method according to an embodiment of the present application. As shown in fig. 4, the present embodiment relates to a process of controlling an IoT device C by a handset a, where the process includes a device registration phase, a key negotiation phase, and a device control phase. The specific processes of the respective stages are described below with reference to fig. 4:
1. device registration phase
Fig. 5 is a schematic diagram illustrating a data flow of an exemplary device registration phase according to an embodiment of the present application. Referring to fig. 4 and fig. 5, in this embodiment, the device registration stage includes:
s401, the mobile phone A applies for registration information of the IoT device C to a cloud server through a first APP.
Optionally, the first APP of the mobile phone a may send a first application message to the cloud server, where the first application message is used to request the cloud server to send registration information of the IoT device C to the first APP of the mobile phone a. Optionally, the first application message may carry information of the APP account registered in the first APP of the mobile phone a, that is, the first application message carries information of the APP account 1.
S402, the cloud server responds to the application of the first APP of the mobile phone A to generate registration information of the IoT device C.
Optionally, the registration information of the IoT device C may include a registrant identity (regID) of the IoT device C and an active code (active code) of the IoT device C.
And S403, the cloud server sends the generated registration information of the IoT device C to the first APP of the mobile phone A.
Specifically, the cloud server may send the generated registration information of the IoT device C to the first APP of the mobile phone a according to the information of the APP account 1 carried in the first application message.
It can be appreciated that the cloud server may save the generated registration information of the IoT device C while sending the registration information of the IoT device C to the first APP of the mobile phone a, and associate the registration information of the IoT device C with the APP account 1, so as to facilitate verification during subsequent device registration.
S404, the mobile phone a sends the registration information of the IoT device C to the IoT device C through the first APP.
Optionally, handset a may send, via the first APP, registration information of IoT device C to IoT device C based on the near field communication connection with IoT device C.
S405, after receiving the registration information, ioT device C generates a device authentication code of IoT device C.
S406, the IoT device C sends the registration information and the device authentication code of the IoT device C to the cloud server, and applies for device registration to the cloud server.
Specifically, ioT device C may send a second application message to the cloud server requesting the cloud server to register IoT device C. Optionally, the second application message may carry the registration information (including the registrant identity and the activation code of the IoT device C) and the device authentication code of the IoT device C.
It is to be appreciated that IoT device C can save the device authentication code while sending its device authentication code to the server.
S407, the cloud server performs device registration in response to the application of the IoT device C.
Specifically, the cloud server may compare and verify the registration information sent by the IoT device C with the registration information of the IoT device C associated with the APP account 1 stored in the cloud server, and if the two are consistent, the cloud server generates the device information of the IoT device C. The device information includes a device account, a login password, and the like. The cloud server binds the device information of IoT device C with APP account 1, i.e., associates the device information of IoT device C with APP account 1.
S408, at the same time, the cloud server saves the device authentication code of IoT device C.
It is to be appreciated that the cloud server can associate the device authentication code of IoT device C with the device account of IoT device C in order to find the device authentication code of IoT device C from the device account of IoT device C.
S409, the cloud server returns the registration result to IoT device C.
Optionally, the registration result may include a device account and a login password of the IoT device C. IoT device C may log into the cloud server according to the device account and login password.
2. Key negotiation stage
Fig. 6 is a schematic diagram illustrating a data flow of an exemplary key negotiation stage according to an embodiment of the present application. Referring to fig. 4 and fig. 6 together, in the present embodiment, the key negotiation stage includes:
s410, the mobile phone a requests, from the cloud server, a device authentication code of the IoT device C through the first APP.
Optionally, the mobile phone a may send a first authentication code request message to the cloud server through the first APP, where the first authentication code request message is used to request the cloud server to send the device authentication code of the IoT device C to the first APP of the mobile phone a. Optionally, the first authentication code request message may carry information such as an APP account 1 and a device account of the IoT device C.
S411, the cloud server responds to the request of the first APP of the mobile phone A and sends the device authentication code of the IoT device C to the first APP of the mobile phone A.
Specifically, the cloud server may search all the device accounts associated with the APP account 1 according to the information of the APP account 1 and the device account of the IoT device C carried in the first authentication code request message, search the device account of the IoT device C from the device accounts, search the device authentication code of the IoT device C from the information associated with the device account of the IoT device C, and send the device authentication code to the first APP of the mobile phone a. Of course, the cloud server may also search for the device authentication code of the IoT device C by other methods, which is not limited in any way in the embodiments of the present application.
S412, the mobile phone A carries out key negotiation with the IoT device C through the first APP based on the device authentication code of the IoT device C to generate a first session key.
Optionally, the first APP of handset a and IoT device C may perform key agreement based on the PAKE protocol. In one embodiment, the key agreement procedure may be as follows: 1) The first APP of the mobile phone A exchanges random numbers and challenge codes with the IoT device C through the cloud server. Specifically, a first APP of the mobile phone a generates a first random number and a first challenge code, and sends the first random number and the first challenge code to the IoT device C through the cloud server; the IoT device C generates a second random number and a second challenge code and sends the second random number and the second challenge code to the first APP of the handset a through the cloud server. 2) The first APP of handset a generates a first session key from the first random number, the first challenge code, the second random number, the second challenge code, and the device authentication code of IoT device C. 3) IoT device C generates a first session key from the first random number, the first challenge code, the second random number, the second challenge code, and the device authentication code of IoT device C.
It will be appreciated that when handset a is near field communication connected with IoT device C, the first APP of handset a may also communicate directly with IoT device C for key agreement.
It should be noted that, only the first session key generated by the negotiation between the first APP of the handset a and the IoT device C can be known by each other, and the other devices cannot know the first session key.
Alternatively, handset a and IoT device C may set a validity period for the first session key (e.g., may be 7 days). During the validity period, handset a and IoT device C are encrypted and decrypted by the first session key. When the first session key exceeds the set validity period, the mobile phone a and the IoT device C can regenerate the session key based on the device authentication code of the IoT device C, thereby further improving the security of the first session key and further improving the security of data transmission between the mobile phone a and the IoT device C.
3. Device control phase
Fig. 7 is a schematic diagram illustrating a data flow of an exemplary device control phase according to an embodiment of the present application. Referring to fig. 4 and 7, the device control stage includes:
s413, when the mobile phone a needs to send the first plaintext control instruction to the IoT device C, the first APP of the mobile phone a encrypts the first plaintext control instruction according to the first session key generated in step S412, so as to obtain a first ciphertext control instruction.
S414, the first APP of the mobile phone A sends a first ciphertext control instruction to the cloud server.
S415, the cloud service forwards the first ciphertext control instruction to IoT device C.
S416, after receiving the first ciphertext control instruction, the IoT device C decrypts the first ciphertext control instruction according to the first session key generated in the step S412, to obtain a first plaintext control instruction.
S417, ioT device C executes the first plaintext control instruction.
Specifically, the first APP of the handset a may include an encryption module a, and the IoT device C may include a decryption module. The encryption module A encrypts the first plaintext control instruction according to the first session key to obtain a first ciphertext control instruction. The encryption module a sends the first ciphertext control instruction to the cloud server, which forwards the first ciphertext control instruction to the decryption module of the IoT device C. And the decryption module decrypts the first ciphertext control instruction to obtain a first plaintext control instruction, and executes the first plaintext control instruction.
In this embodiment, when the control instruction is transmitted, the first APP of the mobile phone a and the IoT device C perform key negotiation based on the device authentication code of the IoT device C, and generate the first session key that can only be obtained by each other, so that end-to-end encryption of the mobile phone a and the IoT device C is achieved, a third party cannot parse the first ciphertext control instruction, and security of control instruction transmission in the process of controlling the IoT device C by the mobile phone a is improved, thereby improving user experience. In another aspect, in this embodiment, the device authentication code of the IoT device C is generated by the IoT device C, and the device authentication code of the IoT device C is sent to the cloud server and stored by the cloud server. When the mobile phone A needs to send a control instruction to the IoT device C, the first APP of the mobile phone A obtains a device authentication code of the IoT device C from the cloud server. Meanwhile, the IoT device C stores the device authentication code, so that the mobile phone a and the IoT device C can hold the consistent device authentication code to perform key agreement. In the above process, the process of acquiring the device authentication code by the first APP of the mobile phone a and the process of acquiring the device authentication code by the IoT device C do not need to be participated by the user, so that the user does not have to perceive encryption, and the user experience is further improved.
In the above embodiments, the encryption and decryption processes of the control command are described as an example. However, the key negotiation method provided by the embodiments of the present application is not limited thereto, and the method may be used for encrypting and decrypting any data transmitted between the control terminal and the IoT device, which is not limited in this application.
In addition, it may be appreciated that the device authentication code of IoT device C in the above embodiments may be a long-term valid device authentication code. That is, the IoT device C and the cloud server hold the device authentication code of IoT device C fixed. In other embodiments, the device authentication code of IoT device C may also be updated periodically or aperiodically. For example, ioT device C may set a validity period for the device authentication code (e.g., the validity period may be 90 days). When the device authentication code exceeds the expiration date, ioT device C regenerates the device authentication code and will send an authentication code update message (which may carry the regenerated device authentication code) to the cloud server requesting the cloud server to update the device authentication code. The cloud server responds to the request of the IoT device C to update the device authentication code of the IoT device C, and sends an authentication code update message to the mobile phone a to inform the first APP of the mobile phone a to update the device authentication code. By updating the equipment authentication code, the safety of the equipment authentication code can be improved, and the risk of stealing the equipment authentication code is reduced, so that the safety of the first session key obtained by negotiating the mobile phone A and the IoT equipment C according to the equipment authentication code is higher, the safety of control instruction transmission between the mobile phone A and the IoT equipment C is further improved, and the user experience is improved.
The above process is a process of encrypting control instructions based on a device authentication code in controlling IoT device C. In some embodiments, when the mobile phone a shares the IoT device C bound to the APP account 1 to the mobile phone B logged in to the APP account 2 (i.e., the APP account 1 is a sharer, and the APP account 2 is a sharee), the mobile phone B may encrypt the control instruction through the device authentication code of the IoT device C, so as to improve the security of the control instruction transmission in the process of controlling the IoT device C by the mobile phone B. The specific procedures are as follows. In the following embodiments, the first APP is taken as a "smart space", and the IoT device C is taken as a smart lamp as an example.
Fig. 8 is an interface change schematic diagram of a process of sharing IoT devices by a mobile phone a according to an embodiment of the present application. As shown in fig. 8 (a), the user clicks on the icon 81 to open the smart space APP. In response to the user clicking on icon 81, handset a runs smart space APP, displaying a "home" main interface 82 of smart space APP, as shown in fig. 8 (b). And the IoT device in the current environment of the mobile phone a and the IoT device bound to APP account 1 (130, 23) currently registered by the smart space APP are displayed under the "device" menu in the "home" main interface 82. Wherein the IoT device to which APP account 1 is bound includes a smart light 001, such as card 83 in (b) in fig. 8. The user presses the card 83 for a long time, and a menu of options appears below the card 83 as shown in fig. 8 (c). The options menu includes a "share devices" option 84. The user clicks on the "shared devices" option 84 to enter the interface shown in fig. 8 (d). The interface includes a plurality of member options. The user clicks on the member option 85 corresponding to APP account 2 (ly), and then enters the share confirmation interface, as shown in fig. 8 (e). The interface includes "confirm" and "cancel" options. The user clicks the "ok" option to determine to share the smart light 001 to the cell phone B that is logged in to APP account 2. After sharing, the mobile phone a may prompt the sharing result, as shown in (f) in fig. 8.
Fig. 9 is a schematic diagram of an interface for receiving sharing by the mobile phone B according to an embodiment of the present application. As shown in fig. 9, after the smart lamp 001 is shared by the mobile phone a to the mobile phone B, the interface of the mobile phone B may pop up a sharing prompt window, which asks the user whether to accept the sharing, as shown by 91 in fig. 9. After the user clicks "yes", smart space APP of handset a starts to share smart light 001 to smart space APP of handset B. The sharing is realized by the following embodiments.
Fig. 10 is a schematic flow chart of another key negotiation method according to an embodiment of the present application. As shown in fig. 10, the present embodiment mainly relates to a process that mobile phone a shares IoT device C (e.g., smart lamp 001) with mobile phone B, and controls IoT device C by mobile phone B, where the process includes a device sharing phase, a key negotiation phase, and a device control phase. The following describes the process of each stage with reference to fig. 10:
1. device sharing phase
Fig. 11 is a schematic diagram illustrating a data flow of an exemplary device sharing stage according to an embodiment of the present application. Referring to fig. 10 and fig. 11 together, in this embodiment, the device sharing stage includes:
s1001, the mobile phone a applies to share the IoT device C to the mobile phone B through the first APP to the cloud server.
Optionally, the first APP of the mobile phone a may send a sharing application message to the cloud server, where the sharing application message is used to request the cloud server to share the IoT device C to the mobile phone B. Optionally, the sharing application message may carry information of the sharing person, information of the shared person, information of the device to be shared, and the like. That is, the sharing application message carries information of the APP account (i.e., APP account 1) registered in the first APP of the mobile phone a, information of the device account of the IoT device C, information of the APP account (i.e., APP account 2) registered in the first APP of the mobile phone B, and the like.
S1002, responding to an application of a first APP of the mobile phone A by the cloud server, and carrying out sharing person right verification, namely carrying out right verification on an APP account (namely APP account 1) logged in by the first APP of the mobile phone A.
It can be appreciated that only the APP account binding an IoT device can act as a sharer of that IoT device, possessing sharing rights to that IoT device. In other words, an APP account requests a shared IoT device, which must be the IoT device bound to the APP account.
Optionally, the cloud server may query, according to the APP account 1 carried in the sharing application message, whether the IoT device bound in the APP account 1 includes the IoT device C, so as to determine whether the IoT device requested to be shared by the APP account 1 is the IoT device bound to the APP account 1, and determine whether the APP account 1 has the sharing authority for the IoT device C. If yes, passing the permission check, otherwise, not passing the permission check.
Optionally, the cloud server may query whether the APP account bound by the IoT device C is APP account 1 according to the device account of the IoT device C carried in the sharing application message, so as to determine whether the APP account 1 has the sharing authority for the IoT device C. If yes, passing the permission check, otherwise, not passing the permission check.
If the authority verification is passed, step S1003 is performed.
S1003, the cloud server hangs down the device information and the device authentication code of the IoT device C under an APP account (i.e. APP account 2) of the first APP login of the mobile phone B.
Specifically, the cloud server associates the information such as the device account, the login password, the device authentication code and the like of the IoT device C with the APP account 2, so that the mobile phone B logged in to the APP account 2 also has control authority over the IoT device.
S1004, the cloud server pushes IoT device C to the first APP of handset B.
Specifically, the cloud server sends information such as a device account of the IoT device C to the first APP of the mobile phone B. The first APP of the mobile phone B may refresh the home main interface according to the information of the device account of the IoT device C, so that the home main interface of the first APP of the mobile phone B displays the card of the IoT device C, thereby enabling the user to perform the control operation on the IoT device C.
2. Key negotiation stage
Fig. 12 is a schematic diagram illustrating a data flow of an exemplary key negotiation stage according to an embodiment of the present application. Referring to fig. 10 and 12 together, in this embodiment, the key negotiation stage includes:
s1005, the mobile phone B requests, from the cloud server through the first APP, a device authentication code of the IoT device C.
Optionally, the first APP of handset B may send a second authentication code request message to the cloud server, where the second authentication code request message is used to request the cloud server to send the device authentication code of IoT device C to the first APP of handset B. Optionally, the second authentication code request message may carry the APP account 2 and the device account of the IoT device C.
S1006, the cloud server responds to the request of the first APP of the mobile phone B, and sends the device authentication code of the IoT device C to the first APP of the mobile phone B.
Specifically, the cloud server may search all the device accounts associated with the APP account 2 according to the information of the APP account 2 and the device account of the IoT device C carried in the second authentication code request message, search the device account of the IoT device C from the device accounts, search the device authentication code of the IoT device C from the information associated with the device account of the IoT device C, and send the device authentication code to the first APP of the mobile phone B. Of course, the cloud server may also search for the device authentication code of the IoT device C by other methods, which is not limited in any way in the embodiments of the present application.
S1007, the first APP of the handset B performs key negotiation with the IoT device C based on the device authentication code of the IoT device C, and generates a second session key.
In this step, the specific key negotiation process is the same as the above-mentioned step S412, and will not be described here again.
It should be noted that, the second session key generated by the negotiation between the first APP of the mobile phone B and the IoT device C is only known to each other, and other devices cannot learn the second session key.
Meanwhile, it can be understood that when the device authentication code exceeds the validity period, the IoT device C regenerates the device authentication code, the cloud server also sends an authentication code update message to the first APP of the mobile phone B to inform the mobile phone B to update the device authentication code, so that the security of the device authentication code can be improved, the risk of the device authentication code being stolen is reduced, the security of the second session key obtained by negotiating the mobile phone B and the IoT device C according to the device authentication code is higher, the security of control instruction transmission between the mobile phone B and the IoT device C is further improved, and the user experience is improved.
3. Device control phase
Fig. 13 is a schematic diagram illustrating a data flow of an exemplary device control phase according to an embodiment of the present application. Referring to fig. 10 and 13 together, in this embodiment, the device control stage includes:
S1008, when the mobile phone B needs to send the second plaintext control instruction to the IoT device C, the first APP of the mobile phone B encrypts the second plaintext control instruction according to the second session key generated in step S1007, to obtain a second ciphertext control instruction.
S1009, the first APP of the mobile phone B sends the second ciphertext control instruction to the cloud server.
S1010, the cloud service forwards the second ciphertext control instruction to IoT device C.
S1011, after receiving the second ciphertext control instruction, the IoT device C decrypts the second ciphertext control instruction according to the second session key generated in the step S1006, to obtain a second plaintext control instruction.
S1012, ioT device C executes the second plaintext control instruction.
Specifically, the first APP of the handset B may include an encryption module B, and the IoT device C may include a decryption module. And the encryption module B encrypts the second plaintext control instruction according to the second session key to obtain a second ciphertext control instruction. The encryption module B sends the second ciphertext control instruction to the cloud server, which forwards the second ciphertext control instruction to the decryption module of the IoT device C. And the decryption module decrypts the second ciphertext control instruction to obtain a second plaintext control instruction, and executes the second plaintext control instruction.
In this embodiment, in the device sharing scenario, when the control instruction is transmitted, the first APP of the mobile phone B and the IoT device C perform key negotiation based on the device authentication code of the IoT device C, and generate the second session key that can only be obtained by each other, so that end-to-end encryption of the mobile phone B and the IoT device C is achieved, a third party cannot parse the second ciphertext control instruction, and security of control instruction transmission in the process of controlling the IoT device C by the mobile phone B in the device sharing scenario is improved, thereby improving user experience. In another aspect, in the embodiment, in the device sharing stage, the device authentication code of the IoT device C is hung under the APP account 2 registered by the first APP of the mobile phone B through the cloud server, that is, the device authentication code is shared, so that when the mobile phone B needs to send a control instruction to the IoT device C, the first APP of the mobile phone B can obtain the device authentication code of the IoT device C from the cloud server. Meanwhile, the IoT device C stores the device authentication code, so that the mobile phone B and the IoT device C can hold the consistent device authentication code to perform key agreement. In the above process, the process of acquiring the device authentication code by the first APP of the mobile phone B and the process of acquiring the device authentication code by the IoT device C do not need to be participated by the user, so that the user does not have to perceive encryption, and the user experience is further improved. In addition, in the device sharing stage, the mobile phone a applies for device sharing to the cloud server through the first APP, and the cloud server directly hangs the device information and the device authentication code of the IoT device C under the APP account logged in by the first APP of the mobile phone B after checking the sharing person right. The whole sharing process only needs to interact between the equipment logged in by the sharing person and the cloud server, the shared person and the equipment to be shared are not required to be on line, the sharing process is simple and quick, and the quick sharing of the IoT equipment can be realized.
Fig. 14 is a schematic flow chart of a key negotiation method according to another embodiment of the present application. This embodiment is described taking the IoT system in fig. 2 as an example. As shown in fig. 14, the method includes:
s1401, the IoT device generates a device authentication code (hereinafter referred to as device authentication code) of the IoT device in the device registration process.
Specifically, referring to the embodiment shown in fig. 4, the IoT device receives the registration information (hereinafter referred to as registration information) of the IoT device sent by the first control terminal, and generates a device authentication code. The IoT device sends the registration information and the device authentication code to the server.
S1402, the server stores the equipment authentication code.
Specifically, referring to the embodiment shown in fig. 4, the service performs device registration on the IoT device according to the registration information, and stores a device authentication code.
S1403, the first control terminal requests the device authentication code from the server.
S1404, the first control terminal and the IoT device perform key agreement according to the device authentication code, and generate a first session key.
S1405, the first control terminal and the IoT device encrypt and decrypt the transmitted data according to the first session key.
S1406, the first control terminal applies for sharing the IoT device to the second control terminal from the server.
S1407, the server associates the device information and the device authentication code of the IoT device with the information of the second control terminal in response to the application of the first control terminal.
Specifically, referring to the embodiment shown in fig. 10, the server downloads the device information and the device authentication code of the IoT device to the account (i.e., APP account 2) of the first APP login of the first control terminal.
S1408, the second control terminal requests a device authentication code from the IoT device.
S1409, the second control terminal and the IoT device perform key negotiation according to the device authentication code, and generate a second session key.
S1410, the second control terminal and the IoT device encrypt and decrypt the transmitted data according to the second session key.
The specific process of the key negotiation method provided in this embodiment is referred to the embodiments shown in fig. 4 and fig. 10, and will not be described herein.
In this embodiment, the first control terminal requests the device authentication code of the IoT device from the server, the device authentication code is generated by the IoT device, and the IoT device also holds the device authentication code, so that the first control terminal can perform key negotiation with the device authentication code of the IoT device to generate a first session key that can only be known to each other, end-to-end encryption of the first control terminal and the IoT device is achieved, a third party cannot parse data (e.g., a control instruction) transmitted between the first control terminal and the IoT device, security of data transmission between the first control terminal and the IoT device is improved, and user experience is improved. In another aspect, in this implementation, a device authentication code is generated by an IoT device and sent to a server for storage by the server. When the first control terminal needs to transmit data with the IoT device, the first control terminal obtains the device authentication code from the server. At the same time, the IoT device is generated by the IoT device, which also holds the device authentication code. In the above process, the first control terminal and the IoT device do not need to participate in the process of acquiring the device authentication code, so that the user can realize encryption without perception, and the user experience is further improved. In addition, in the embodiment, the first control terminal applies for sharing the IoT device to the second control terminal, the server shares the device information of the IoT device to the second control terminal, and at the same time, shares the device authentication code to the second control terminal, so that the second control terminal and the IoT device can perform key negotiation based on the device authentication code to generate a second session key which can only be known to each other, end-to-end encryption of the second control terminal and the IoT device is achieved, a third party cannot analyze data transmitted between the second control terminal and the IoT device, security of direct data transmission between the second control terminal and the IoT device in a device sharing scene is improved, and user experience is improved.
Examples of the key negotiation method provided in the embodiments of the present application are described above in detail. It will be appreciated that the electronic device, in order to achieve the above-described functions, includes corresponding hardware and/or software modules that perform the respective functions. Those of skill in the art will readily appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Those skilled in the art may implement the described functionality using different approaches for each particular application in conjunction with the embodiments, but such implementation is not to be considered as outside the scope of this application.
The embodiment of the present application may divide the functional modules of the electronic device according to the above method examples, for example, may divide each function into each functional module corresponding to each function, for example, a detection unit, a processing unit, a display unit, or the like, or may integrate two or more functions into one module. The integrated modules may be implemented in hardware or in software functional modules. It should be noted that, in the embodiment of the present application, the division of the modules is schematic, which is merely a logic function division, and other division manners may be implemented in actual implementation.
Referring to fig. 15, an embodiment of the present application provides a key agreement apparatus, which may be included in a first electronic device that is applied in a system including a server and an IoT device. The first electronic device may be, for example, the first control terminal in the above embodiment. The key agreement means is for performing the steps of the first control terminal in the above-described embodiments. As shown in fig. 15, the key agreement device may include:
a first sending module 1501, configured to send a first authentication code request message to a server; the first authentication code request message is to request provision of a device authentication code of the IoT device to the first electronic device; the device authentication code is generated for the IoT device and sent to the server;
a first receiving module 1502, configured to receive a device authentication code sent by a server;
a first negotiation module 1503, configured to perform key negotiation with an IoT device according to the device authentication code, and generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device.
In one embodiment, the first negotiation module 1503 is specifically configured to perform key negotiation with the IoT device based on a password authentication key exchange protocol according to a device authentication code, and generate a first session key.
In one embodiment, the IoT device is bound to a first electronic device, the system further comprises a second electronic device, and the key agreement apparatus further comprises: the first sharing module 1504 is configured to send a sharing application message to a server, where the sharing application message is used to request sharing of control rights to an IoT device to a second electronic device, and the sharing application message includes device information and a device authentication code of the IoT device; the device authentication code is further used for performing key negotiation between the second electronic device and the IoT device to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
In one embodiment, the key agreement device further comprises: a first update module 1505, configured to receive an authentication code update message sent by a server; the authentication code update message is used for indicating to update the equipment authentication code, and the equipment authentication code regenerated under the condition that the equipment authentication code exceeds a first preset validity period is included in the authentication code update message; the device authentication code is updated in accordance with the authentication code update message.
In one embodiment, the first update module 1505 is further configured to re-key the IoT device according to the device authentication code to generate a new first session key if the first session key exceeds the second pre-set expiration period.
The key negotiation device provided in this embodiment is configured to execute the method corresponding to the first control terminal, so the beneficial effects that can be achieved by the key negotiation device can refer to the beneficial effects in the method corresponding to the first control terminal provided above, and are not described herein.
Referring to fig. 16, an embodiment of the present application provides a key agreement apparatus, which may be included in a server that is applied in a system including a first electronic device and an IoT device. The first electronic device may be the first control terminal in the above embodiment. The key agreement means is for performing the steps of the server in the above embodiments. As shown in fig. 16, the key agreement device may include:
a second receiving module 1601, configured to receive and store a device authentication code of an IoT device sent by the IoT device; and receiving a first authentication code request message sent by the first electronic device; the first authentication code request message is used for requesting to send a device authentication code to the first electronic device; the device authentication code is generated for the IoT device;
a second sending module 1602, configured to send a device authentication code to a first electronic device in response to a first authentication code request message; the device authentication code is used for performing key negotiation between the first electronic device and the IoT device to generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device.
In one embodiment, the IoT device is bound to a first electronic device, the system further comprises a second electronic device, and the second receiving module 1601 is further configured to: receiving a sharing application message sent by a first electronic device, wherein the sharing application message is used for requesting to share control authority of an IoT device to a second electronic device, and the sharing application message comprises device information and a device authentication code of the IoT device; in response to the sharing application message, associating the device information and the device authentication code with information of the second electronic device such that the second electronic device has control authority over the IoT device; the device authentication code is further used for performing key negotiation between the second electronic device and the IoT device to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
In one embodiment, a first application of a second electronic device logs in with a first account, the first application referring to an application for controlling an IoT device; the key agreement device further includes a second sharing module 1603, configured to, in response to the sharing application message, download the device information and the device authentication code to the first account.
In one embodiment, the second receiving module 1601 is further configured to receive a second authentication code request message sent by the second electronic device; the second authentication code request message is used for requesting to provide the second electronic device with the device authentication code; the second sending module 1602 is further configured to send a device authentication code to the second electronic device in response to the second authentication code request message.
In one embodiment, the key agreement device further comprises: a second update module 1604 configured to receive an authentication code update message sent by an IoT device; the authentication code update message is used for indicating to update the equipment authentication code, and the equipment authentication code regenerated under the condition that the equipment authentication code exceeds a first preset validity period is included in the authentication code update message; updating the device authentication code according to the authentication code update message; an authentication code update message is sent to the first electronic device.
In one embodiment, the system further comprises a second electronic device having control authority over the IoT device, the second sending module 1602 further configured to send an authentication code update message to the second electronic device.
The key negotiation device provided in this embodiment is configured to execute the method corresponding to the server, so that the beneficial effects that can be achieved by the key negotiation device can refer to the beneficial effects in the method corresponding to the server provided above, and are not described herein again.
Referring to fig. 17, an embodiment of the present application provides a key agreement apparatus, which may be included in an IoT device that is applied in a system including a first electronic device and a server. The first electronic device may be the first control terminal in the above embodiment. The key agreement means is for performing the steps of the IoT device in the above embodiments. As shown in fig. 17, the key agreement device may include:
A third generating module 1701 for generating a device authentication code;
a third sending module 1702 configured to send a device authentication code to a server;
a third negotiation module 1703, configured to perform key negotiation with the first electronic device according to the device authentication code, and generate a first session key; the first session key is used to encrypt or decrypt data transmitted between the first electronic device and the IoT device.
In one embodiment, the third generating module 1701 is specifically configured to: upon receiving registration information of an IoT device transmitted by a first electronic device, a device authentication code is generated.
In one embodiment, the third negotiation module 1703 is specifically configured to: and according to the equipment authentication code, carrying out key negotiation with the first electronic equipment based on a password authentication key exchange protocol to generate a first session key.
In one embodiment, the key agreement device further comprises: a third updating module 1704, configured to regenerate the device authentication code if the device authentication code exceeds the first preset validity period; and sending an authentication code update message to the server, wherein the authentication code update message is used for indicating updating of the equipment authentication code, and the authentication code update message comprises the regenerated equipment authentication code.
In one embodiment, the third update module 1704 is further configured to re-perform key negotiation with the first electronic device according to the device authentication code to generate a new first session key if the first session key exceeds the second preset validity period.
In one embodiment, the system further comprises a second electronic device having control authority over the IoT device, and the third negotiation module 1703 is further configured to perform key negotiation with the second electronic device according to the device authentication code to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
The key negotiation apparatus provided in this embodiment is configured to perform the method corresponding to the IoT device, so the beneficial effects that can be achieved by the key negotiation apparatus can refer to the beneficial effects in the method corresponding to the IoT device provided above, and will not be described herein.
The present embodiments also provide an IoT system comprising: a first electronic device, a server, and an IoT device. The first electronic device is configured to execute a method corresponding to the first control terminal in the above embodiment, the server is configured to execute a method corresponding to the server in the above embodiment, and the IoT device is configured to execute a method corresponding to the IoT device in the above embodiment. The benefits of IoT systems are not described in detail herein.
The embodiment also provides an electronic device for executing the key negotiation method. The electronic device may be the first electronic device, the server, or the IoT device described above. The first electronic device is configured to execute the method corresponding to the first control terminal in the above embodiment, the server is configured to execute the method corresponding to the server in the above embodiment, and the IoT device is configured to execute the method corresponding to the IoT device in the above embodiment, so that the electronic device in the embodiment can achieve the same effects as the implementation method described above.
In case an integrated unit is employed, the electronic device may further comprise a processing module, a storage module and a communication module. The processing module can be used for controlling and managing the actions of the electronic equipment. The memory module may be used to support the electronic device to execute stored program code, data, etc. And the communication module can be used for supporting the communication between the electronic device and other devices.
Wherein the processing module may be a processor or a controller. Which may implement or perform the various exemplary logic blocks, modules, and circuits described in connection with this disclosure. A processor may also be a combination that performs computing functions, e.g., including one or more microprocessors, digital signal processing (digital signal processing, DSP) and microprocessor combinations, and the like. The memory module may be a memory. The communication module can be a radio frequency circuit, a Bluetooth chip, a Wi-Fi chip and other equipment which interact with other electronic equipment.
In one embodiment, when the processing module is a processor and the storage module is a memory, the electronic device according to this embodiment may be a device having the structure shown in fig. 3.
The present application also provides a computer readable storage medium, in which a computer program is stored, which when executed by a processor, causes the processor to perform the key negotiation method of any of the above embodiments.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the above-mentioned related steps to implement the key agreement method in the above-mentioned embodiments.
In addition, embodiments of the present application also provide an apparatus, which may be specifically a chip, a component, or a module, and may include a processor and a memory connected to each other; the memory is configured to store computer-executable instructions, and when the device is running, the processor may execute the computer-executable instructions stored in the memory, so that the chip performs the key negotiation method in the above method embodiments.
The electronic device, the computer readable storage medium, the computer program product or the chip provided in this embodiment are used to execute the corresponding method provided above, so that the beneficial effects thereof can be referred to the beneficial effects in the corresponding method provided above, and will not be described herein.
It will be appreciated by those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional modules is illustrated, and in practical application, the above-described functional allocation may be performed by different functional modules according to needs, i.e. the internal structure of the apparatus is divided into different functional modules to perform all or part of the functions described above.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of modules or units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another apparatus, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and the parts shown as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be essentially or a part contributing to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions to cause a device (may be a single-chip microcomputer, a chip or the like) or a processor (processor) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (17)

1. A key agreement method performed by a first electronic device applied to a system including a server, an IoT device, and a second electronic device, the first electronic device having control rights to the IoT device, the method comprising:
sending a first authentication code request message to the server; the first authentication code request message is to request provision of a device authentication code of the IoT device to the first electronic device; the device authentication code is generated for the IoT device and sent to the server;
receiving the equipment authentication code sent by the server;
performing key negotiation with the IoT device according to the device authentication code to generate a first session key; the first session key is to encrypt or decrypt data transmitted between the first electronic device and the IoT device;
Sending a share application message to the server, the share application message being for requesting the server to associate device information of the IoT device and the device authentication code with information of the second electronic device; the device authentication code is further for key agreement with the IoT device by the second electronic device to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
2. The method of claim 1, wherein the performing key agreement with the IoT device according to the device authentication code to generate a first session key comprises:
and according to the device authentication code, performing key negotiation with the IoT device based on a password authentication key exchange protocol to generate the first session key.
3. The method according to claim 1, wherein the method further comprises:
receiving an authentication code update message sent by the server; the authentication code update message is used for indicating to update the equipment authentication code, and the authentication code update message comprises the equipment authentication code regenerated under the condition that the equipment authentication code exceeds a first preset validity period;
And updating the equipment authentication code according to the authentication code updating message.
4. A method according to any one of claims 1 to 3, further comprising:
and re-performing key negotiation with the IoT device according to the device authentication code to generate a new first session key under the condition that the first session key exceeds a second preset validity period.
5. A key agreement method performed by a server applied to a system including a first electronic device, an IoT device, and a second electronic device, the first electronic device having control rights to the IoT device, the method comprising:
receiving and saving a device authentication code of the IoT device transmitted by the IoT device; the device authentication code generated for the IoT device;
receiving a first authentication code request message sent by the first electronic equipment; the first authentication code request message is used for requesting to send the device authentication code to the first electronic device;
transmitting the device authentication code to the first electronic device in response to the first authentication code request message; the device authentication code is used for key agreement between the first electronic device and the IoT device to generate a first session key; the first session key is to encrypt or decrypt data transmitted between the first electronic device and the IoT device;
Receiving a sharing application message sent by the first electronic device, where the sharing application message is used to request to associate device information of the IoT device and the device authentication code with information of the second electronic device;
in response to the sharing application message, associating the device information and the device authentication code with information of the second electronic device, the device authentication code further used for key agreement with the IoT device by the second electronic device, generating a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
6. The method of claim 5, wherein a first application of the second electronic device is logged into a first account, the first application being an application for controlling the IoT device; the responding to the sharing application message, associating the device information and the device authentication code with the information of the second electronic device, includes:
and responding to the sharing application message, and hanging the equipment information and the equipment authentication code under the first account.
7. The method of claim 5, wherein the method further comprises:
receiving a second authentication code request message sent by the second electronic equipment; the second authentication code request message is used for requesting to provide the device authentication code for the second electronic device;
and transmitting the device authentication code to the second electronic device in response to the second authentication code request message.
8. The method according to any one of claims 5 to 7, further comprising:
receiving an authentication code update message sent by the IoT device; the authentication code update message is used for indicating to update the equipment authentication code, and the authentication code update message comprises the equipment authentication code regenerated under the condition that the equipment authentication code exceeds a first preset validity period;
updating the equipment authentication code according to the authentication code update message;
and sending the authentication code update message to the first electronic device.
9. The method of claim 8, wherein the method further comprises:
and sending the authentication code update message to the second electronic device.
10. A key agreement method performed by an IoT device that is applied to a system that includes a first electronic device, a server, and a second electronic device, the first electronic device and the second electronic device each having control rights to the IoT device, the method comprising:
Generating a device authentication code;
transmitting the device authentication code to the server;
according to the equipment authentication code, performing key negotiation with the first electronic equipment to generate a first session key; the first session key is to encrypt or decrypt data transmitted between the first electronic device and the IoT device;
performing key negotiation with the second electronic equipment according to the equipment authentication code to generate a second session key; the second session key is used to encrypt or decrypt data transmitted between the second electronic device and the IoT device.
11. The method of claim 10, wherein the generating a device authentication code comprises:
the device authentication code is generated upon receiving registration information of the IoT device transmitted by the first electronic device.
12. The method of claim 10, wherein the generating a first session key based on the device authentication code by performing a key agreement with the first electronic device comprises:
and according to the equipment authentication code, carrying out key negotiation with the first electronic equipment based on a password authentication key exchange protocol to generate the first session key.
13. The method according to claim 10, wherein the method further comprises:
regenerating the equipment authentication code under the condition that the equipment authentication code exceeds a first preset validity period;
and sending an authentication code update message to the server, wherein the authentication code update message is used for indicating to update the equipment authentication code, and the authentication code update message comprises the regenerated equipment authentication code.
14. The method according to any one of claims 10 to 13, further comprising:
and under the condition that the first session key exceeds a second preset validity period, carrying out key negotiation with the first electronic equipment according to the equipment authentication code to generate a new first session key.
15. An IoT system, comprising: a first electronic device to perform the method of any of claims 1-4, a server to perform the method of any of claims 5-9, and an IoT device to perform the method of any of claims 10-14.
16. An electronic device, comprising: a processor, a memory, and an interface;
The processor, memory and interface cooperate to cause the electronic device to perform the method of any one of claims 1 to 4, or to cause the electronic device to perform the method of any one of claims 5 to 9, or to cause the electronic device to perform the method of any one of claims 10 to 14.
17. A computer readable storage medium, in which a computer program is stored which, when executed by a processor, causes the processor to perform the method of any one of claims 1 to 4, or causes the processor to perform the method of any one of claims 5 to 9, or the processor to perform the method of any one of claims 10 to 14.
CN202111538419.9A 2021-12-15 2021-12-15 Key agreement method, system, electronic device and computer readable storage medium Active CN115001667B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111538419.9A CN115001667B (en) 2021-12-15 2021-12-15 Key agreement method, system, electronic device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111538419.9A CN115001667B (en) 2021-12-15 2021-12-15 Key agreement method, system, electronic device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN115001667A CN115001667A (en) 2022-09-02
CN115001667B true CN115001667B (en) 2023-05-26

Family

ID=83018863

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111538419.9A Active CN115001667B (en) 2021-12-15 2021-12-15 Key agreement method, system, electronic device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN115001667B (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101123501A (en) * 2006-08-08 2008-02-13 西安电子科技大学 A WAPI authentication and secret key negotiation method and system
CN101340443B (en) * 2008-08-28 2014-12-03 中国电信股份有限公司 Session key negotiating method, system and server in communication network
CN106656984B (en) * 2016-10-31 2019-10-01 美的智慧家居科技有限公司 Safety operation control method, system and its equipment of equipment in local area network
CN108632393B (en) * 2018-07-30 2021-03-30 郑州信大捷安信息技术股份有限公司 Secure communication system and method
CN110933672B (en) * 2019-11-29 2021-11-30 华为技术有限公司 Key negotiation method and electronic equipment

Also Published As

Publication number Publication date
CN115001667A (en) 2022-09-02

Similar Documents

Publication Publication Date Title
WO2021147745A1 (en) Bluetooth connection method, system, and electronic device
EP3820077A1 (en) Login method, token sending method, and device
EP2645665A1 (en) Bluetooth loe energy privacy
CN112987581A (en) Control method for intelligent household equipment, medium and terminal thereof
EP3069255B1 (en) Method and apparatus for connecting communication of electronic devices
CN105308995A (en) Wireless configuration using passive near field communication
CN113207122B (en) Message transmission method and device
WO2021135593A1 (en) Device sharing method and electronic device
WO2021093855A1 (en) Mobile device management method and device
US20230098097A1 (en) Cross platform credential sharing
WO2022143031A1 (en) Identity authentication method, electronic device, and computer readable storage medium
CN112995990B (en) Method, system and equipment for synchronizing key information
CN115001667B (en) Key agreement method, system, electronic device and computer readable storage medium
CN116056184B (en) Network access method, system, electronic equipment and storage medium
CN114756849B (en) Method and device for verifying personal identification number PIN code
CN114205822B (en) IoT device and authorization method thereof
US20230101005A1 (en) Quick response codes for data transfer
WO2023169545A1 (en) Offline device control method and related apparatus
CN117195276B (en) Data protection method and electronic equipment
CN116846681B (en) Device connection method, electronic device, and computer-readable storage medium
CN116782186A (en) Offline equipment control method and related device
WO2023202631A1 (en) Subscription method and apparatus, and communication device, internet of things device and network element
CN117131481A (en) User login method and electronic equipment
CN116049839A (en) Data transmission method and electronic equipment
CN117641307A (en) Method for searching terminal, terminal and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant