CN115622723A - Device access control method and device, electronic device and storage medium - Google Patents

Device access control method and device, electronic device and storage medium Download PDF

Info

Publication number
CN115622723A
CN115622723A CN202110806362.XA CN202110806362A CN115622723A CN 115622723 A CN115622723 A CN 115622723A CN 202110806362 A CN202110806362 A CN 202110806362A CN 115622723 A CN115622723 A CN 115622723A
Authority
CN
China
Prior art keywords
access
access control
controlled
user
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110806362.XA
Other languages
Chinese (zh)
Inventor
姚佳良
贾倩
卿青海
东昀
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Hangzhou Information Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202110806362.XA priority Critical patent/CN115622723A/en
Publication of CN115622723A publication Critical patent/CN115622723A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application discloses a device access control method and device, an electronic device and a storage medium, wherein the device access control method comprises the following steps: receiving an access request, wherein the access request comprises: first user attribute information of a requesting party; inquiring a block chain storing an access control strategy of the controlled equipment according to the access request; determining whether the requesting party is an authorized access user or not according to the first user attribute information and the queried access control strategy; when the requesting party is an authorized access user, allocating the use permission of the virtual capacity for the requesting party from a virtual capacity resource pool established based on the capacity of the controlled equipment; and sending a control instruction to the controlled device according to the authority range information of the use authority, wherein the control instruction is used for controlling the controlled device to accept the access of the requester in the use authority. Therefore, the storage security is improved based on the block chain storage access control strategy, and the security of the device capacity sharing based on the virtual capacity resource pool is improved.

Description

Device access control method and device, electronic device and storage medium
Technical Field
The invention relates to the technical field of internet of things, in particular to a device access control method and device, an electronic device and a storage medium.
Background
In the prior art, the access control method of the intelligent device mostly adopts a centralized authorization decision entity to make a decision of access control, namely, a central trusted entity grants an access control authority. At present, when a lot of intelligent devices are used, bidirectional identity authentication is not performed or the security of data is protected by adopting a strong password mode, for example, a simple four-digit PIN code or two-dimensional code scanning is often adopted to verify a device user in the daily use process of the intelligent home devices, and then the network access authorization of the intelligent home devices is realized. The access control mode enables a third party to easily crack, the safety coefficient of a software application program of the control equipment is relatively low, the cost of adding malicious equipment of the third party is low, and great hidden dangers exist in the data safety of intelligent equipment. Therefore, in the prior art, the safety of the intelligent equipment cannot be ensured while the integrated cooperative work among the intelligent equipment is realized.
Disclosure of Invention
In view of this, embodiments of the present invention provide a device access control method and apparatus, an electronic device, and a storage medium.
The technical scheme of the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides an apparatus access control method, including:
receiving an access request, wherein the access request comprises: first user attribute information of a requesting party;
inquiring a block chain storing an access control strategy of the controlled equipment according to the access request;
determining whether the requester is an authorized access user according to the first user attribute information and the queried access control policy;
when the requesting party is an authorized access user, allocating the use permission of the virtual capacity to the requesting party from a virtual capacity resource pool established based on the capacity of the controlled equipment;
and sending a control instruction to the controlled equipment according to the authority range information of the use authority, wherein the control instruction is used for controlling the controlled equipment to accept the access of the requester in the use authority.
Further, the determining whether the requesting party is an authorized access user according to the first user attribute information and the queried access control policy includes:
determining second user attribute information of an authorized access user of the controlled equipment according to the queried access control strategy;
and comparing the first user attribute information with the second user attribute information to determine whether the requester is an authorized access user.
Further, the allocating, from a virtual capability resource pool established based on the capability of the controlled device, a usage right of virtual capability to the requester includes:
determining a required target capability according to the access request;
determining target devices capable of providing the target capabilities recorded in a virtual capability resource pool established based on the capabilities of the controlled devices;
and allocating the use authority of the target device to the requester.
Further, the sending a control instruction to the controlled device according to the authority range information of the usage authority includes:
obtaining an authorized equipment list corresponding to the requester;
and if the target equipment exists in the authorized equipment list, sending a control instruction to the target equipment according to the authority range information of the use authority.
Further, the method further comprises:
inquiring a device public key of the controlled device in the block chain;
the sending of the control instruction to the controlled device according to the authority range information of the use authority includes:
performing identity verification on the controlled equipment based on the equipment public key;
and if the verification is successful, sending a control instruction to the controlled equipment according to the authority range information of the use authority.
Further, the method further comprises:
establishing a virtual capacity resource pool based on the capacity of at least one controlled device;
determining an access control policy of the controlled device recorded in the virtual capacity resource pool based on second user attribute information of an authorized access user of the controlled device and device attribute information of the controlled device;
storing the access control policy into at least one block of a chain of blocks.
Further, the method further comprises:
after the storage is finished, carrying out hash operation on the blocks based on the access control strategy stored in each block to obtain updated hash values of the blocks; wherein the hash value of the block is stored in the next block in the chain of blocks;
updating the hash value stored in the next block in the block chain based on the updated hash value of the block.
Further, the method further comprises:
and storing operation data generated in the access control process of the controlled equipment based on the interplanetary file system IPFS.
In a second aspect, an embodiment of the present invention provides an apparatus access control device, including:
a receiving unit, configured to receive an access request, where the access request includes: first user attribute information of a requesting party;
the query unit is used for querying a block chain storing an access control strategy of the controlled equipment according to the access request;
a determining unit, configured to determine whether the requesting party is an authorized access user according to the first user attribute information and the queried access control policy;
the allocation unit is used for allocating the use permission of the virtual capacity to the requester from a virtual capacity resource pool established based on the capacity of the controlled equipment when the requester is an authorized access user;
and the sending unit is used for sending a control instruction to the controlled equipment according to the authority range information of the use authority, wherein the control instruction is used for controlling the controlled equipment to accept the access of the requester in the use authority.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: a processor and a memory for storing a computer program capable of running on the processor;
when the computer program is run by a processor, the steps of one or more of the above-mentioned methods are performed.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, where the computer-readable storage medium stores computer-executable instructions; the computer executable instructions can be executed by a processor to implement the method of one or more of the above-mentioned technical solutions.
The device access control method provided by the embodiment of the invention comprises the following steps: receiving an access request, wherein the access request comprises: first user attribute information of a requesting party; inquiring a block chain storing an access control strategy of the controlled equipment according to the access request; determining whether the requester is an authorized access user according to the first user attribute information and the queried access control policy; when the requesting party is an authorized access user, allocating the use permission of the virtual capacity to the requesting party from a virtual capacity resource pool established based on the capacity of the controlled equipment; and sending a control instruction to the controlled equipment according to the authority range information of the use authority. Therefore, the method can realize the open sharing and the uniform distribution of the capacities of a plurality of controlled devices based on the virtual capacity resource pool, and improve the utilization rate of the capacity resources of the devices. On the basis, the access control strategy of the block chain storage controlled equipment is adopted, and the dependence of the controlled equipment on a centralized single authorization decision entity is effectively inhibited on the basis of the decentralized storage characteristic of the block chain, so that the safety of related data storage of the equipment and the sharing of multi-equipment capacity resources is greatly improved.
Drawings
Fig. 1 is a schematic flowchart of a device access control method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a device access control method according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a device access control method according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a device access control method according to an embodiment of the present invention;
fig. 5 is a schematic flowchart of a device access control method according to an embodiment of the present invention;
fig. 6 is a schematic flowchart of a device access control method according to an embodiment of the present invention;
fig. 7 is a schematic flowchart of a device access control method according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an apparatus access control device according to an embodiment of the present invention;
fig. 9 is a schematic flowchart of smart home management and control in a household scenario according to an embodiment of the present invention;
fig. 10 is a schematic flowchart of smart home management and control in a visitor scene according to an embodiment of the present invention;
fig. 11 is a schematic flowchart of an access control method for smart home devices according to an embodiment of the present invention;
FIG. 12 is a block chain storage flow diagram according to an embodiment of the present invention;
FIG. 13 is a schematic diagram of a code implementation for storing operation data according to an embodiment of the present invention;
FIG. 14 is a schematic diagram of a code implementation for obtaining operation data according to an embodiment of the present invention;
fig. 15 is a schematic diagram of attributes of a UPnP device according to an embodiment of the present invention;
fig. 16 is a schematic flowchart of acquiring a virtual capability resource according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail with reference to the accompanying drawings, the described embodiments should not be construed as limiting the present invention, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.
In the following description, references to the terms "first \ second \ third" are only to distinguish similar objects and do not denote a particular order, but rather the terms "first \ second \ third" are used to interchange specific orders or sequences, where appropriate, to enable embodiments of the invention described herein to be practiced in other than the order shown or described herein.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein is for the purpose of describing embodiments of the invention only and is not intended to be limiting of the invention.
As shown in fig. 1, an embodiment of the present invention provides a device access control method, including:
s110: receiving an access request, wherein the access request comprises: first user attribute information of a requesting party;
s120: inquiring a block chain storing an access control strategy of the controlled equipment according to the access request;
s130: determining whether the requester is an authorized access user according to the first user attribute information and the queried access control policy;
s140: when the requesting party is an authorized access user, allocating the use permission of the virtual capacity to the requesting party from a virtual capacity resource pool established based on the capacity of the controlled equipment;
s150: and sending a control instruction to the controlled equipment according to the authority range information of the use authority, wherein the control instruction is used for controlling the controlled equipment to accept the access of the requester in the use authority.
Here, the controlled device may be various smart devices, such as internet of things devices like Universal Plug and Play (UPnP) devices. The requesting party may be a user requesting to access and/or use the controlled device, and the first user attribute information is attribute information representing an Identity of the user, and may include, for example, identity Document (ID) of the user, and the like.
In the embodiment of the present invention, the access request includes the first user attribute information of the requesting party, and may also carry information such as device information requesting access or capability resources requested to be acquired. The access control policy of the controlled device may be information for managing access of the requester to the controlled device, which is set based on user attribute information of an authorized access user of the controlled device, device attribute information of the controlled device, and the like.
In one embodiment, the blockchain is used for storing the access control policy of the controlled device, and both the response to the access request and the device access control method are implemented in the blockchain, so that an automated policy control process can be implemented. The intelligent contract is processed through the block chain, any artificial participation is not needed, only the requirement of recording in the intelligent contract is met, the time can be greatly saved, the cost is reduced, the change cannot be realized, and the safety of the whole process and the privacy information of the user is effectively ensured
In another embodiment, the controlled device is an intelligent home device supporting a UPnP protocol, such as a television, a projector, and the like, and the plurality of intelligent home devices form an intelligent home system based on the UPnP protocol, and a virtual capacity resource pool is formed in the intelligent home system based on capacity resources of each intelligent home device, so as to implement sharing and centralized allocation of capacity resources among the plurality of devices.
Exemplarily, the stored access control policy of the corresponding controlled device may be queried in the block chain according to the device information requesting access carried in the access request; or, the access control policy of each controlled device may be queried in the block chain according to the virtual capability requested to be obtained in the access request.
In one embodiment, according to the first user attribute information, a search or matching may be performed in the queried access control policy to determine whether the first user attribute information belongs to authorized access user information recorded in the access control policy. And if the first user attribute information belongs to the authorized access user information recorded in the access control strategy, the requesting party corresponding to the first user attribute information is an authorized access user of the controlled equipment.
If the requesting party is determined to be an authorized access user, the usage right of the virtual capacity required by the requesting party can be allocated to the requesting party in a virtual capacity resource pool formed based on the UPnP protocol, for example, matching query is performed in the virtual capacity resource pool according to the virtual capacity obtained by the request carried in the access request, and the access right, the usage right and the like corresponding to the virtual capacity are obtained and sent to the requesting party.
In another embodiment, when the requester is determined to be an authorized access user, the virtual capability access right recorded in the access control policy is obtained first, and the access right is sent to the requester. The requester can know or browse the related controlled devices with the virtual capability based on the access right, so that the requester can request access to one or more of the controlled devices again. Based on this, the usage right of the virtual capability may be returned to the requester after receiving the re-request.
In one embodiment, the usage right has authority range information, for example, the authority range information may record an instruction or the like that the controlled device allows a response when the requester has the usage right to the controlled device and issues an instruction to the controlled device. Illustratively, the controlled device is a television, and the corresponding authority range information may include control operations such as allowing the requester to perform screen projection and volume adjustment on the controlled device, but not allowing the requester to perform factory reset and other operations on the controlled device.
In another embodiment, the authority range information of the usage authority may also be set according to an access control policy, for example, the access control policy records the callable capability resource of the controlled device at different time periods, so that the usage authority may set different authority range information correspondingly, and the requesting party is allowed to perform different operations at different time periods. Or, the access control policy records authorized access users of different levels of the controlled device, for example, a member of a family is an adult of a first level, a minor is a minor of a second level, and a guest member is a third level, so that different permission range information can be correspondingly set for the use permission of the authorized access users of different levels, and after the level of the authorized access user is determined based on the first user attribute information of the requester, the corresponding permission range information is determined according to the level, so as to pertinently provide different use permissions.
It is to be understood that the control instruction sent to the controlled device for instructing the controlled device to respond to the requester may include an access instruction, a control instruction, and the like.
Therefore, the virtual capacity resource pool is established based on the capacity resources of the controlled equipment, systematization of the controlled equipment is realized, unified allocation and sharing of the virtual capacity resources among multiple equipment are realized, and the utilization rate of the capacity resources and the responsiveness to the demand of the capacity resources are improved. On the basis, the access control strategy used as the basis of the access decision of the controlled equipment is stored based on the block chain, and the dependence on a centralized authorization decision entity is greatly reduced based on the distributed storage characteristic of the block chain, so that the safety and the tamper-resistant capability of information storage are improved. Furthermore, based on the identity information of the information verification requester stored in the blockchain, on the basis of optimizing the use of equipment resources, the privacy protection of the related information of the controlled equipment and the safety of equipment access are improved, and the integral cooperative work among the equipment is realized, and meanwhile, the integral safety performance is improved.
In some embodiments, as shown in fig. 2, the S130 includes:
s131: determining second user attribute information of an authorized access user of the controlled equipment according to the queried access control strategy;
s132: and comparing the first user attribute information with the second user attribute information to determine whether the requester is an authorized access user.
In the embodiment of the present invention, second user attribute information that allows an authorized access user of the access-controlled device to access the user may be recorded in the access control policy, where the second user attribute information may be information in the same format as the first user attribute information, for example, ID information of the user.
In one embodiment, the access control policy may record second user attribute information of at least one authorized access user, respectively, and then compare the first user attribute information with the at least one second user attribute information, respectively. If not, the requesting party is not the authorized access user; and if the second user attribute information is successfully matched with the second user attribute information in the comparison process, the requesting party is the authorized access user.
In another embodiment, at least one second user attribute information may also be recorded in the access control policy in a table form, and then the first user attribute information is subjected to presence query with the table. If the first user attribute information is present in the table, the requestor is an authorized access user.
Therefore, the identity of the requester can be verified based on the access control policy stored in the blockchain, so that the security of the controlled equipment for receiving access can be ensured, and the privacy of the identity information storage of the authorized access user can be improved based on the blockchain.
In some embodiments, as shown in fig. 3, the S140 includes:
s141: when the request party is an authorized access user, determining the required target capacity according to the access request;
s142: determining target devices capable of providing the target capabilities recorded in a virtual capability resource pool established based on the capabilities of the controlled devices;
s143: and allocating the use right of the target device to the requester.
In the embodiment of the present invention, the target capability obtained by the request carried in the access request may be determined, and then matching or searching may be performed in a virtual capability resource pool formed based on the UPnP protocol and the capabilities of the multiple controlled devices according to the target capability, so as to determine whether the target capability exists in the virtual capability resource pool, and determine that the controlled device capable of providing the target capability is the target device. Here, the virtual capability resource pool may contain a correspondence relationship between the controlled device and the capability it has.
In one embodiment, the controlled device is a smart home device with a UPnP protocol. And determining the target capability required by the requester as the capability of screen projection display under the parameters of a certain size range, a certain definition range and the like based on the access request. Searching in the virtual capacity resource pool according to the target capacity, determining that the television can provide the target capacity, and determining that the television is the target device.
In another embodiment, since the target-capable device may not necessarily provide the target capability at the current time, after the target-capable controlled device is determined, the target device capable of providing the target capability may be determined based on parameters such as workload of the controlled device, resource occupation, and a distance from a location where the access request is issued by the requester. For example, when a user is engaged in a video conference on a cell phone that requires a screen to be projected on a larger screen, the television closest to the current user's cell phone location may be selected as the target device.
For example, determining a target device capable of providing the target capability recorded in the virtual capability resource pool may include: determining the controlled equipment with the target capability recorded in the virtual capability resource pool; if one controlled device with the target capability is provided, determining that the controlled device is the target device; and if a plurality of controlled devices with the target capability are available, determining the controlled device with the lowest current resource occupancy rate as the target device.
Therefore, the virtual capacity resource pool established based on the capacity of the controlled equipment can effectively establish the mapping relation between the controlled equipment and the virtual capacity resource, and realize more detailed and clear access control on the equipment. On the basis, the virtual capacity required to be acquired by the requester can be determined, so that accurate search can be performed in the virtual capacity resource pool, and the most suitable equipment for meeting the current virtual capacity requirement of the requester is provided for the requester.
In some embodiments, as shown in fig. 4, the S150 includes:
s151: obtaining an authorized equipment list corresponding to the requester;
s152: and if the target equipment exists in the authorized equipment list, sending a control instruction to the target equipment according to the authority range information of the use authority.
In the embodiment of the present invention, the second user attribute information of the authorized access user corresponds to an authorized device list, and optionally, the authorized device lists corresponding to different authorized access users are different, so as to provide different accessible devices for different users. For example, for a child who does not wish to access or control the intelligent cooking device for safety reasons, the intelligent cooking device may not be included in the list of authorized devices corresponding to the child.
In one embodiment, after determining a target device capable of providing the target capability, it is verified whether the target device is within the authorized access range of the requestor based on a list of authorized devices corresponding to the requestor. Here, the authorized device list may record device attribute information and the like of the device accessible by the authorized access user. And if the target equipment exists in the authorized equipment list, determining that the target equipment is accessible to the requester.
Therefore, after the identity authority of the access authorization user based on the controlled equipment is verified for the requester, the availability of the target equipment is verified based on the authorization equipment of the requester, so that the bidirectional authentication between the requester and the equipment is realized, and the control on the equipment access is further optimized.
In some embodiments, as shown in fig. 5, the method further comprises:
s160: inquiring a device public key of the controlled device in the blockchain;
the S150 includes:
s153: performing identity verification on the controlled equipment based on the equipment public key;
s154: and if the verification is successful, sending a control instruction to the controlled equipment according to the authority range information of the use authority.
In the embodiment of the present invention, the device public key may be stored in the block chain together with the access control policy of the controlled device, and is used to verify the identity validity of the controlled device to be provided with the virtual capability resource.
In one embodiment, after determining the required target capability based on the access request and determining the target device based on the target capability, the corresponding device public key may be queried in the blockchain based on the device attribute information of the target device, and the identity of the target device may be verified using the device public key. If the verification is successful, indicating that the target device is a secure device matching the public key recorded in the blockchain, a control command may be sent thereto.
In another embodiment, sending a control instruction to the controlled device may include: sending a control instruction to the controlled device, and monitoring the state of the controlled device, for example, receiving information generated and fed back by the controlled device according to the executed processing action.
Therefore, the device public key is stored based on the block chain, and the identity of the target device is verified based on the device public key, so that the safety of device information storage and device access control is further improved.
In some embodiments, as shown in fig. 6, the method further comprises:
s101: establishing a virtual capacity resource pool based on the capacity of at least one controlled device;
s102: determining an access control policy of the controlled device recorded in the virtual capacity resource pool based on second user attribute information of an authorized access user of the controlled device and device attribute information of the controlled device;
s103: storing the access control policy into at least one block of a chain of blocks.
In the embodiment of the present invention, the capability of at least one controlled device may be obtained through device attribute information of at least one controlled device, where the device attribute information may be used to record identification information, capability information, and the like of the controlled device. For example, if the controlled device is an intelligent home device under the UPnP protocol, the device attribute information of the controlled device may be obtained based on the preset UPnP discovery protocol, and then the capability of the controlled device is determined.
Here, the controlled device is an intelligent home device under the UPnP protocol, and may be a hardware device produced according to the UPnP standard. The device attribute information may be a device description file in Extensible Markup Language (XML) format, in which detailed information of the controlled device and its virtual capabilities is recorded, and may include a device name, an Original Equipment Manufacturer (OEM) or an Original Design Manager (ODM), a service information list, and the like.
In one embodiment, acquiring the capability of the at least one controlled device through the device attribute information of the at least one controlled device may include: and receiving the device attribute information multicast-sent by at least one controlled device, and acquiring the capability of the controlled device based on the device attribute information.
Illustratively, the controlled device is a smart home device under the UPnP protocol, and the controlled device may send device attribute information by multicast to announce that the device is online and describes its own functions. The fixed address and the port of the controlled equipment sending equipment attribute information are monitored and recorded, and the controlled equipment with the target capability can be searched and obtained after the target capability is determined. And obtaining detailed information of the controlled equipment and the related virtual capacity thereof through the equipment attribute information provided by the controlled equipment, and recording and integrating the information to establish a virtual capacity resource pool.
In another embodiment, the second user attribute information and the device attribute information may be recorded in the access control policy. When the target capability is determined according to the access request and the corresponding target device is determined based on the target capability, the device attribute information recorded in the access control policy can be queried, the virtual capability resource information of the controlled device can be obtained, and the target device capable of providing the target capability can be determined by comparing the virtual capability resource information with the target capability.
In one embodiment, the access control policy is subjected to signature encryption, for example, the encrypted access control policy may be encrypted by a Message-Digest Algorithm (MD 5), a Secure Hash Algorithm (SHA), and the like, and the encrypted access control policy is stored in at least one block of the block chain.
Therefore, the virtual capacity resource pool established based on the equipment capacity can realize resource sharing and seamless connection among multiple equipment, is convenient for uniformly processing and scheduling the access request, and simplifies network realization based on uniform allocation. On the basis, the related information is stored in the block chain, and the processing processes of identity verification of a requester, equipment identity verification and the like are performed through the block chain, so that the safety of capacity resource sharing of the controlled equipment is greatly improved.
In some embodiments, as shown in fig. 7, the method further comprises:
s104: after the storage is finished, carrying out hash operation on the blocks based on the access control strategy stored in each block to obtain updated hash values of the blocks; wherein the hash value of the block is stored in the next block in the chain of blocks;
s105: updating the hash value stored in the next block in the block chain based on the updated hash value of the block.
In the embodiment of the present invention, after the access control policy of the newly added controlled device is stored in the block chain, since the block storage content is updated, the hash operation is performed on the block based on the block storage content, so as to obtain the updated hash value. In the block chain, except the first block, the hash value of the previous block is stored in each block, so as to form a chain.
And after the storage is finished, carrying out hash operation on the block, and storing the obtained updated hash value into the next block. For example, after the access control policy of the new controlled device is stored in the block 2, hash operation is performed on the block 2 to obtain a new hash value. Since the old hash value of the block 2 is stored in the block 3, the new hash value is stored in the block 3 instead of the old hash value, and the update of the stored content of the block 3 is completed. Further, hash operation is performed on block 3, and the hash value of the new block 3 is updated to block 4, and so on.
In another embodiment, each block may store the hash value of the block in addition to the hash value of the previous block, so as to serve as a basis for address backtracking. Therefore, after the updated hash value of the block is obtained, the hash value stored in the block and the hash value stored in the next block need to be updated synchronously.
Therefore, the hash value of the previous block is stored based on each block in the block chain, and the relevance and the directivity of each block are greatly improved. Therefore, if a third-party malicious device tries to join the block chain, the storage content of one block is changed after the third-party malicious device is stored in the block, so that the hash value of the block is changed, and the hash value stored in the next block is also changed. By analogy, the cost of the third-party malicious equipment entering the block chain is greatly increased, and the malicious invasion of other equipment is effectively inhibited.
In some embodiments, the method further comprises:
and storing operation data generated in the access control process of the controlled equipment based on the interplanetary file system IPFS.
In the embodiment of the invention, in the access control process of the controlled device, each processing action generates corresponding operation data, and the data volume is large, so that a huge storage space is often needed. The operation data is stored based on an Inter Planet File System (IPFS), which is essentially a distributed storage and transmission protocol of content addressable, versioned, peer-to-peer hypermedia. The uniquely mapped hash identifier may be generated by performing a hash operation on the operation data. The operation data can be stored in the public network of the IPFS, and the hash identifier of the operation data is stored in the local storage space. When the operation data needs to be called, the operation data can be searched according to the hash identifier to obtain corresponding operation data.
In this way, the operation data can be stored in the whole public network based on the IPFS storage, and the operation data is stored without using a multilevel directory, and the corresponding operation data is accessed through a unique hash identifier. The storage space overhead can be saved to some extent.
As shown in fig. 8, an apparatus for controlling access to a device according to an embodiment of the present invention includes:
a receiving unit 110, configured to receive an access request, where the access request includes: first user attribute information of the requestor;
the query unit 120 is configured to query, according to the access request, a blockchain storing an access control policy of the controlled device;
a determining unit 130, configured to determine whether the requesting party is an authorized access user according to the first user attribute information and the queried access control policy;
an allocating unit 140, configured to, when the requesting party is an authorized access user, allocate a usage right of a virtual capability to the requesting party from a virtual capability resource pool established based on the capability of the controlled device;
a sending unit 150, configured to send a control instruction to the controlled device according to the authority range information of the usage authority, where the control instruction is used to control the controlled device to accept the access of the requestor within the usage authority.
In some embodiments, the apparatus further comprises:
the query unit is used for querying the device public key of the controlled device in the block chain;
the sending unit is specifically configured to perform identity verification on the controlled device based on the device public key;
and if the verification is successful, sending a control instruction to the controlled equipment according to the authority range information of the use authority.
In some embodiments, the apparatus further comprises:
the establishing unit is used for establishing a virtual capacity resource pool based on the capacity of at least one controlled device;
a decision unit, configured to determine an access control policy of the controlled device recorded in the virtual capability resource pool based on second user attribute information of an authorized access user of the controlled device and device attribute information of the controlled device;
a storage unit, configured to store the access control policy in at least one block of a block chain.
In some embodiments, the apparatus further comprises:
the computing unit is used for carrying out hash operation on the blocks based on the access control strategies stored in each block after the storage is finished so as to obtain updated hash values of the blocks; wherein the hash value of the block is stored in the next block in the chain of blocks;
and the updating unit is used for updating the hash value stored in the next block in the block chain based on the updated hash value of the block.
In some embodiments, the storage unit is further configured to:
and storing operation data generated in the access control process of the controlled equipment based on the interplanetary file system IPFS.
One specific example is provided below in connection with any of the embodiments described above:
the embodiment of the invention provides an intelligent home distributed capability sharing access control method based on a block chain, wherein a block chain technology, a UPnP (universal plug and play) protocol and access control are combined, the system topology of the embodiment of the invention is shown in FIGS. 9 and 10, and the control flow of intelligent home equipment in two scenes of a resident and a visitor is described.
1. The core process comprises the following steps: the work flow of the intelligent home management and control system combined with the block chain is processed by four modules together: the system comprises an intelligent home resource information module, an intelligent home resource management module, an intelligent home resource execution module and an intelligent home resource decision module, wherein the modules work cooperatively, and the request of a user is processed through related components, as shown in fig. 11, the system comprises nine steps:
step 1: an intelligent home attribution party (resident) uploads access control authority information of intelligent home equipment through a resource information module, wherein the access control authority information comprises user attribute information and UPnP equipment information, and meanwhile, a resource management module is used for configuring access control strategies corresponding to users and capacity resources and storing the information in a block chain;
and 2, step: the intelligent home use party (resident/visitor) initiates an access request to the intelligent home equipment through the resource execution module;
and 3, step 3: the resource decision module calls the resource management module to obtain an access control strategy corresponding to the user and the capacity resource, and simultaneously calls the resource information module to obtain related attribute information of the intelligent home user;
and 4, step 4: the resource decision module compares the attribute information of the intelligent home user with the attribute information set in the access control strategy, and if the judgment result shows that the user is allowed, a correct result is returned to the resource execution module;
and 5: the resource execution module receives the decision result sent by the resource decision module, sorts and obtains the open virtual capacity use permission specified in the access control strategy, and returns the permission to the user, so that the intelligent home user can obtain the permission for accessing the open virtual capacity;
and 6: the intelligent home user applies for the use permission of the open virtual capacity through the resource execution module;
and 7: the resource execution module transmits a request application of a user of the intelligent household equipment to the resource decision module;
and 8: the resource decision module searches for UPnP equipment with related virtual capacity, compares the acquired resource list of the intelligent home user, judges whether the resource list is in an allowed range and confirms the resource list, and returns response confirmation information to the resource execution module;
and step 9:
9-1, the resource execution module returns the call permission response information to the intelligent home user and sends a control action request to the related UPnP equipment.
And 9-2, the intelligent household user can use the intelligent household equipment with the permission after receiving the feedback, and the process is finished.
2. The intelligent home management and control system encrypts the related attribute information of the user and the equipment on the block chain. Since the previous block hash needs to be used when calculating the block hash, the third party would be very costly if it needs to add a malicious device on the blockchain. The block chain adopts a block chain type data structure, namely, a data structure in which transactions occurring in a period of time are stored in units of blocks and the blocks are connected into a chain in time sequence by a cryptographic algorithm. When corresponding data is stored in the block chain, trusted data signature processing is required, and corresponding signature values are obtained by using digital fingerprint technologies such as MD5 and SHA. The relevant information is thus stored in each data block: the hash of the previous block and the hash of the current block, a user access control strategy, equipment authorization public key information and the like. Therefore, the addresses of the previous blocks can be used for backtracking, so that the data are stored in a chain, and the safety of the data is improved. The correlation process of the signatures in each block is shown in fig. 12, where 00006yjabc, 000007jlabc, 000008baced, and 000009yycae are hash values generated by the hash operation.
3. The intelligent home management and control system can perform distributed storage on a large amount of operation data information possibly generated in the using process of the intelligent home through the IPFS. IPFS is essentially a content addressable, versioned, point-to-point hypermedia distributed storage and transmission protocol, has the characteristic of content addressable, generates unique hash identification through file content, and saves the cost of space overhead to a certain extent. The IPFS carries out hash operation on the operation data of the smart home, then searches for the operation data according to the hash value to obtain corresponding storage content, and the fed-back hash value and the operation data storage content are mapped with each other.
For example, the storage of operational data may be implemented by pseudo code as shown in FIG. 13.
The hash value corresponding to the operation data of the smart home can be obtained after the hash processing is carried out on the operation data.
When the uploaded smart home operation data needs to be acquired, the operation data can be acquired through codes as shown in fig. 14.
4. The intelligent home management and control system adopts a UPnP protocol to complete equipment discovery and control, the UPnP protocol is used as a universal UPnP control point, the UPnP protocol has a standard protocol for automatic discovery and control, and zero configuration of intelligent home equipment can be realized. The intelligent home equipment is added into the network, the UPnP discovery protocol can permit the intelligent home management and control system to multicast and announce the equipment to be online and describe the functions of the equipment, and simultaneously, the intelligent home management and control system can monitor the fixed address and the port of the equipment sending messages, so that the equipment with the relevant virtual capacity required in the network is searched and obtained, the detailed information of the equipment and the relevant virtual capacity is obtained through the equipment description file provided by the equipment, and the information is accounted through the intelligent home resource information module. And then, after the use party of the equipment obtains the use permission authority of the intelligent household equipment through verification, the intelligent household management and control system performs signature verification by using the public key of the equipment on the block chain, selects the operation to be performed and obtains the service provided by the equipment according to the description of the equipment, transmits a control action request to the specified intelligent household equipment, requires the equipment to start service and monitors the state of the equipment, makes a corresponding processing action when the state is changed, and simultaneously feeds back related information to the management and control system after the execution command of the intelligent household equipment is completed.
5. The smart home device is a hardware device produced according to the UPnP standard, and can be regarded as a "container" associated with a service and containing conventional devices, wherein the smart home device comprises a series of sub-devices and various services. The detailed information of the device and the virtual capability is usually recorded in an XML device description file, which is generally processed by the manufacturer and contains some attributes related to the device, such as device name, equipment manufacturer (OEM) or solution manufacturer (ODM), universal Unique Identifier (UUID) of the device, device type (modeName), service list (serviceList), etc., as shown in fig. 15. The Service list may record a Service type (serviceType), a Service ID (serviceId), a Uniform Resource Locator (SCPDURL) of a Service description, a URL of Service Control (Control URL), and the like.
After the intelligent home management and control system obtains the detailed description information related to the equipment and the service, the corresponding service action can be called, and therefore control and operation of the intelligent home equipment are achieved. In this way, seamless connection between devices in the home or company network is achieved, and network implementation is simplified. For example, when a user receives a telephone video conference, the intelligent home management and control system can help the user to switch the video pictures of the colleagues from a narrow mobile phone interface to a television screen for displaying, and better interactive experience is achieved. The user transmits a request to acquire the corresponding virtual capability, and the flow is shown in fig. 16. The virtual resource pool may include display, network communication, microphone, speaker, central Processing Unit (CPU), global Positioning System (GPS), and other capacity resources.
6. The method for openly sharing the intelligent household equipment capacity can avoid the attack of 'denial of service', and the attack is announced to the system on line by a third party hacker to guide the system to request for downloading service contents, so that a large amount of system resources are occupied, and the service speed of the whole system is slowed down or even stopped. The method introduces a block chain and an intelligent contract strategy in the automatic discovery and control process of the UPnP equipment, simultaneously carries out encryption signature processing on equipment information, and can link the equipment only after the equipment is verified and confirmed, thereby avoiding the invasion of malicious equipment to a certain extent. And only after the authorization is granted, the equipment user can operate the UPnP equipment, so that the safety and the reliability of the equipment are greatly improved.
An embodiment of the present invention further provides an electronic device, where the electronic device includes: a processor and a memory for storing a computer program capable of running on the processor, the computer program when executed by the processor performing the steps of one or more of the methods described above.
An embodiment of the present invention further provides a computer-readable storage medium, where computer-executable instructions are stored in the computer-readable storage medium, and after being executed by a processor, the computer-executable instructions can implement the method according to one or more of the foregoing technical solutions.
The computer storage media provided by the present embodiments may be non-transitory storage media.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or in other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may be separately used as one unit, or two or more units may be integrated into one unit; the integrated unit may be implemented in the form of hardware, or in the form of hardware plus a software functional unit.
In some cases, any two of the above technical features may be combined into a new method solution without conflict.
In some cases, a new device solution may be combined without any of the two technical features conflicting.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media capable of storing program codes, such as a removable Memory device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (11)

1. A device access control method, comprising:
receiving an access request, wherein the access request comprises: first user attribute information of the requestor;
inquiring a block chain storing an access control strategy of the controlled equipment according to the access request;
determining whether the requester is an authorized access user according to the first user attribute information and the queried access control policy;
when the requesting party is an authorized access user, allocating the use permission of the virtual capacity to the requesting party from a virtual capacity resource pool established based on the capacity of the controlled equipment;
and sending a control instruction to the controlled equipment according to the authority range information of the use authority, wherein the control instruction is used for controlling the controlled equipment to accept the access of the requester in the use authority.
2. The method of claim 1, wherein the determining whether the requesting party is an authorized access user according to the first user attribute information and the queried access control policy comprises:
determining second user attribute information of an authorized access user of the controlled equipment according to the queried access control strategy;
and comparing the first user attribute information with the second user attribute information to determine whether the requester is an authorized access user.
3. The method of claim 1, wherein the allocating usage rights of virtual capabilities to the requestor from within a virtual capability resource pool established based on capabilities of the controlled device comprises:
determining a required target capability according to the access request;
determining target devices capable of providing the target capabilities recorded in a virtual capability resource pool established based on the capabilities of the controlled devices;
and allocating the use right of the target device to the requester.
4. The method according to claim 3, wherein the sending a control instruction to the controlled device according to the authority range information of the usage authority comprises:
obtaining an authorized equipment list corresponding to the requester;
and if the target equipment exists in the authorized equipment list, sending a control instruction to the target equipment according to the authority range information of the use authority.
5. The method of claim 1, further comprising:
inquiring a device public key of the controlled device in the block chain;
the sending of the control instruction to the controlled device according to the authority range information of the use authority includes:
performing identity verification on the controlled equipment based on the equipment public key;
and if the verification is successful, sending a control instruction to the controlled equipment according to the authority range information of the use authority.
6. The method of claim 1, further comprising:
establishing a virtual capacity resource pool based on the capacity of at least one controlled device;
determining an access control policy of the controlled device recorded in the virtual capacity resource pool based on second user attribute information of an authorized access user of the controlled device and device attribute information of the controlled device;
storing the access control policy in at least one block of a chain of blocks.
7. The method of claim 6, further comprising:
after the storage is finished, carrying out hash operation on the blocks based on the access control strategy stored in each block to obtain updated hash values of the blocks; wherein the hash value of the block is stored in the next block in the chain of blocks;
updating the hash value stored in the next block in the block chain based on the updated hash value of the block.
8. The method of any one of claims 1 to 7, further comprising:
and storing operation data generated in the access control process of the controlled equipment based on the interplanetary file system IPFS.
9. An apparatus access control device, the apparatus comprising:
a receiving unit, configured to receive an access request, where the access request includes: first user attribute information of the requestor;
the query unit is used for querying a block chain storing an access control strategy of the controlled equipment according to the access request;
a determining unit, configured to determine whether the requestor is an authorized access user according to the first user attribute information and the queried access control policy;
the allocation unit is used for allocating the use permission of the virtual capacity to the requester from a virtual capacity resource pool established based on the capacity of the controlled equipment when the requester is an authorized access user;
and the sending unit is used for sending a control instruction to the controlled equipment according to the authority range information of the use authority, wherein the control instruction is used for controlling the controlled equipment to accept the access of the requester in the use authority.
10. An electronic device, characterized in that the electronic device comprises: a processor and a memory for storing a computer program capable of running on the processor; wherein the content of the first and second substances,
the processor, when executing the computer program, performs the steps of the device access control method of any of claims 1 to 8.
11. A computer-readable storage medium having stored thereon computer-executable instructions; the computer executable instructions, when executed by a processor, are capable of implementing a device access control method as claimed in any one of claims 1 to 8.
CN202110806362.XA 2021-07-16 2021-07-16 Device access control method and device, electronic device and storage medium Pending CN115622723A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110806362.XA CN115622723A (en) 2021-07-16 2021-07-16 Device access control method and device, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110806362.XA CN115622723A (en) 2021-07-16 2021-07-16 Device access control method and device, electronic device and storage medium

Publications (1)

Publication Number Publication Date
CN115622723A true CN115622723A (en) 2023-01-17

Family

ID=84855584

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110806362.XA Pending CN115622723A (en) 2021-07-16 2021-07-16 Device access control method and device, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN115622723A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116645023A (en) * 2023-07-21 2023-08-25 中海油信息科技有限公司 Real-time index control process transportation system and method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116645023A (en) * 2023-07-21 2023-08-25 中海油信息科技有限公司 Real-time index control process transportation system and method
CN116645023B (en) * 2023-07-21 2024-03-01 中海油信息科技有限公司 Real-time index control process transportation system and method

Similar Documents

Publication Publication Date Title
US11212289B2 (en) Dynamic passcodes in association with a wireless access point
US8396220B2 (en) System and method of mobile content sharing and delivery in an integrated network environment
US7331059B2 (en) Access restriction control device and method
CN108540433B (en) User identity verification method and device
CN108259422B (en) Multi-tenant access control method and device
CN108768948B (en) Access right management method, server and computer readable storage medium
EP3356961A1 (en) Peer-to-peer syncable storage system
US20090254561A1 (en) Method for Accessing User Data and Profile Management Server
JP2004187305A (en) Method for communication between nodes in peer-to-peer network using common group label
US20100030346A1 (en) Control system and control method for controlling controllable device such as peripheral device, and computer program for control
CN111742531A (en) Profile information sharing
JP6074497B2 (en) Method and apparatus for media information access control and digital home multimedia system
JP2016519828A (en) Access control method, apparatus, program, and recording medium
JP2019212017A (en) Communication device and communication method
US20070162980A1 (en) SYSTEM AND METHOD FOR PROVIDING CONTENT SECURITY IN UPnP SYSTEMS
CN115622723A (en) Device access control method and device, electronic device and storage medium
US20090210544A1 (en) APPARATUS AND METHOD FOR CONTROLLING ACCESS IN p2p NETWORK
US9386074B2 (en) Method and apparatus for providing cloud service, and system having the same
CN113746909A (en) Network connection method, device, electronic equipment and computer readable storage medium
US20110289552A1 (en) Information management system
CN108076009B (en) Resource sharing method, device and system
CN114024755B (en) Service access control method, device, equipment and computer readable storage medium
KR20130085474A (en) System and method for access control of device and service source between in home network middleware
CN116437331A (en) Non-inductive distribution network method, non-inductive distribution network system, equipment and medium
CN115396246A (en) Data center access method, system, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination