CN115913771B - Internet of things equipment cross-domain authentication method based on distributed digital identity - Google Patents
Internet of things equipment cross-domain authentication method based on distributed digital identity Download PDFInfo
- Publication number
- CN115913771B CN115913771B CN202211639836.7A CN202211639836A CN115913771B CN 115913771 B CN115913771 B CN 115913771B CN 202211639836 A CN202211639836 A CN 202211639836A CN 115913771 B CN115913771 B CN 115913771B
- Authority
- CN
- China
- Prior art keywords
- equipment
- internet
- manufacturer
- things
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 22
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000012795 verification Methods 0.000 abstract 1
- 230000007246 mechanism Effects 0.000 description 5
- 238000003032 molecular docking Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 235000019640 taste Nutrition 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention relates to an internet of things equipment authentication technology, discloses an internet of things equipment cross-domain authentication method based on distributed digital identities, and solves the problems that the existing cross-manufacturer internet of things equipment linkage scheme is high in risk and cost and depends on CA and certificates. The method comprises the following steps: when the Internet of things equipment produced by each manufacturer leaves a factory, applying for creating a DID to the manufacturer of the Internet of things equipment, and issuing a certificate to the corresponding Internet of things equipment by the manufacturer; after the user purchases the Internet of things equipment, the certificate of the equipment is obtained from the manufacturer of the corresponding equipment, and the authority of operating the corresponding equipment can be obtained according to the certificate of the corresponding equipment, so that the independent control of the equipment is realized. When desiring to control the equipment linkage of the same manufacturer, the equipment a sends the verifiable certificate of the equipment b to the equipment b, and the equipment b confirms that the equipment a is a product of the same manufacturer and then establishes a link. When desiring to control the equipment linkage of different manufacturers, the equipment a sends the verifiable credential of the equipment c to the equipment c; device c verifies the verifiable credential to its own vendor and establishes a link after verification passes.
Description
Technical Field
The invention relates to an internet of things equipment authentication technology, in particular to an internet of things equipment cross-domain authentication method based on distributed digital identities.
Background
With the continuous deep and increasingly rich application scenes of the internet of things, typical internet of things scenes develop from a single function to the interaction direction of the internet of things, and especially in the intelligent family field, linkage among scenes has become one of core applications in the IoT field. In the family, under the scene that has the thing networking equipment of a plurality of different producers, certain equipment control other equipment links, interconnect and mutual cooperation between the equipment can bring convenience and comfortable experience of life for intelligent house user.
However, due to different tastes of individuals, when users choose to purchase smart home, equipment products belonging to different manufacturers are often purchased due to the consideration of appearance, price or functions. When the devices are linked, because the identity information of the devices of the manufacturers is not communicated, on one hand, the user selection space is limited due to the binding of the manufacturers, so that the shopping experience is poor; on the other hand, equipment is difficult to control across manufacturers, and the existing cross-domain mode is complex and has potential safety hazards, so that the use experience of the intelligent equipment of the Internet of things of the user is greatly reduced.
Aiming at the problem that equipment is difficult to cross-domain collaboration caused by equipment identity information non-intercommunication of different manufacturers, the current industry provides a plurality of solutions from technical ideas of cloud docking, digital certificate-based identity authentication, edge computing node-based identity authentication and the like:
(1) Patent application with the application number 202110963724.6, named as 'method and device for network distribution of intelligent devices', mentions that the network distribution among manufacturer devices is realized through a network distribution interface of cloud-cloud docking service; however, in actual operation, in the cloud docking process, the cloud servers of both sides often have information transmission defects caused by instability, for example, weak local signal propagation capability, so that the servers cannot make correct feedback to generate operation problems, bandwidth limitation, hardware faults and the like.
(2) Patent application with the application number 202210517048.4, named Cross-Domain authentication method and device, user registration method and device, proposes that the cross-domain access edge computing node is realized by authenticating the corresponding unique identity ID generated by the local node and the first authentication token. The scheme effectively solves the problem of cross-domain unified identity authentication by using a certificate mechanism, but does not provide a solution for the bidirectional authentication of equipment and users, and has the security risks of man-in-the-middle attack and the like.
(3) Patent application with application number 202210314352.9, namely a blockchain-based cross-domain authentication and key negotiation method in the environment of the Internet of things, designs an elliptic curve-based Internet of things entity authentication and key negotiation protocol to perform identity authentication in a home domain and among domains. The scheme effectively solves the problem of cross-domain equipment identity authentication by using a certificate mechanism, and avoids the problem of single point failure under the condition of a traditional single CA, but the security and the persistence of a plurality of CA node organizations can influence the authentication management of equipment.
From the prior technical scheme, the technical layer of the solution for cross-domain equipment access already realizes the support of cross-equipment identity authentication, and ensures the security based on a certificate mechanism. However, there are still several main problems with existing solutions:
First, none of the above patents relates to the smart home field, where inter-vendor device linkage needs to be more stable and universal. Secondly, when the cloud docking technology is used, the cloud servers of both sides are unstable, so that the servers cannot make correct feedback to generate operation problems, bandwidth limitation, hardware faults and the like. Furthermore, different manufacturers may have different formats of operation instructions for the control device, and cross-domain issuing of operation instructions may cause the operation meaning to change even inversely, such as an operation instruction to turn on/off a lamp. Finally, for the above method, implementing the cross-vendor control device requires at least one more gateway from one of the vendors to deliver the instructions, increasing the cost of use for the user.
Disclosure of Invention
The technical problems to be solved by the invention are as follows: the internet of things equipment cross-domain authentication method based on the distributed digital identity solves the problems that the existing cross-manufacturer internet of things equipment linkage scheme is high in risk and cost and depends on CA and certificates.
The technical scheme adopted for solving the technical problems is as follows:
a cross-domain authentication method of Internet of things equipment based on distributed digital identity comprises the following steps:
When the Internet of things equipment produced by each manufacturer leaves a factory, applying for creating a DID (distributed digital identity) to the manufacturer of the Internet of things equipment, and issuing a certificate to the corresponding Internet of things equipment by the manufacturer;
after a user purchases the Internet of things equipment, acquiring a certificate of the equipment from a manufacturer of the corresponding equipment;
and the user obtains the authority of operating the corresponding equipment according to the certificate of the corresponding equipment.
Further, the method further comprises:
when a user wants to control another internet of things device b produced by the same manufacturer to link through one internet of things device a, the following steps are executed:
S1, a user sends a certification which can be verified after the certification of the equipment b is subjected to simplifying treatment to the equipment a;
s2, the equipment a sends the verifiable certificate of the equipment b to the equipment b;
s3, the equipment b confirms that the equipment a is the same manufacturer product through the verifiable certificate;
s4, establishing a link between the equipment b and the equipment a;
S5, the user can control the equipment b through the equipment a and send linkage instructions to the equipment b.
Further, the method further comprises:
When a user wants to control another internet of things device c produced by different manufacturers to link through a certain internet of things device a, the following steps are executed:
s1, a user sends a certification which can be verified after the certification of c is subjected to simplifying treatment to equipment a;
s2, the equipment a sends the verifiable certificate of the equipment c to the equipment c;
s3, the equipment c verifies the verifiable certificate to a manufacturer of the equipment c;
s4, the manufacturer of the equipment c verifies the verifiable evidence;
s5, establishing a link between the equipment c and the equipment a;
S6, the user can control the equipment c through the equipment a and send linkage instructions to the equipment c.
Further, the credentials include factory information and device owner information of the corresponding internet of things device.
The beneficial effects of the invention are as follows:
the invention designs a cross-domain authentication scheme of the Internet of things equipment based on the distributed digital identity in a smart home scene, and the equipment is controlled by a user no matter which manufacturer the equipment belongs to has a uniform identity through the distributed Digital Identity (DID), the authentication scheme can carry out cross-manufacturer identity authentication and key negotiation between the equipment without depending on CA and certificates, complex interaction between cloud servers is avoided, hardware cost of a gateway is saved, operation instructions among the uniform manufacturers are saved, and risks and cost of cross-domain operation equipment are greatly reduced.
Drawings
FIG. 1 is an application scenario diagram in an embodiment;
FIG. 2 is a flow chart for operating device A using distributed digital identities;
FIG. 3 is a flow chart of an operation device B using distributed digital identities;
FIG. 4 is a flow chart of operating device C using distributed digital identities;
FIG. 5 is a flow chart for implementing equipment A control equipment C linkage using distributed digital identities;
FIG. 6 is a flow chart for implementing appliance A control appliance B linkage using distributed digital identities.
Detailed Description
The block chain technology is a distributed storage scheme, relates to knowledge in the field of multiple disciplines such as mathematics, cryptography, computers and the like, and has the characteristics of decentralization, traceability, non-falsification, collective maintenance, disclosure transparency and the like. The block chain technology can meet the requirements of data collection of the Internet of things on the aspects of data security, traceability and the like.
The distributed digital identity is based on a blockchain technology, the control problem of a single service provider to a user account can be effectively overcome by utilizing the characteristic of the decentralization of the blockchain, meanwhile, the problem of identity trust can be effectively solved by utilizing the characteristic of non-falsification of the blockchain, a security mechanism is provided for the trust transfer of identity and authorization by a trust construction mechanism based on credentials, and a safe and reliable solution is provided for the inter-manufacturer authentication and collaboration problems of the Internet of things equipment.
The invention aims to provide a method for enabling Internet of things equipment to have distributed digital identities, realizing identity authentication of cross-domain equipment by transmitting verifiable credentials among the equipment, further completing cooperation among the equipment and realizing cross-domain equipment control.
Examples:
The application scenario in this embodiment is shown in fig. 1, where the scenario includes a user, vendor a, vendor B, internet of things device a, internet of things device B, and internet of things device c.
The manufacturer A and the manufacturer B are manufacturers of the Internet of things equipment, the manufacturer A produces the Internet of things equipment A and the Internet of things equipment C, and the manufacturer B produces the Internet of things equipment B. Assuming that the user has purchased device a, device B, and device c, both vendor a and vendor B support distributed digital identities, and device a has gateway functionality. The device registers the distributed digital identity at the vendor and obtains service credentials issued by the vendor, including information about the manufacturer, owner, etc. of the device.
1. The user controls the flow of individual devices, see fig. 2:
1. the user operates the equipment A through the distributed digital identity through the following procedures:
s1, applying for creating a DID to a manufacturer A when an Internet of things device A leaves a factory, and issuing a certificate to the device A by the manufacturer A, wherein the certificate contains factory information of the device A and a device owner;
s2, after the user purchases the equipment A, the manufacturer A uploads a certificate VCa of the equipment A to the user;
s3, the user obtains the operation authority of the equipment A;
S4, the user issues an operation instruction to the equipment A to control the equipment A.
2. The user operates the device b through the distributed digital identity through the following flow, see fig. 3:
s1, an Internet of things device B applies for creating a DID to a manufacturer B when leaving a factory, the manufacturer B issues a certificate to the device B, and the certificate contains factory information of the device B and a device owner
S2, after the user purchases the equipment B, the manufacturer B uploads a certificate VCb of the equipment B to the user;
s3, the user obtains the operation authority of the equipment B;
s4, the user issues an operation instruction to the equipment B and controls the equipment B.
3. The user operates the device through the distributed digital identity through the following flow, see fig. 4:
S1, applying for creating a DID (digital information) to a manufacturer A when an Internet of things device C leaves a factory, and issuing a certificate to the device C by the manufacturer A, wherein the certificate contains factory information of the device C and a device owner;
S2, after the user purchases the equipment C, the manufacturer A uploads a credential VCc of the equipment C to the user;
s3, the user obtains the operation authority of the equipment C;
S4, the user issues an operation instruction to the equipment C to control the equipment C.
2. Linkage between devices of the same manufacturer:
the user purchases the equipment A to obtain the service certificate VCa of the equipment A, and purchases the equipment C to obtain the service certificate VCc of the equipment C, at the moment, the user can directly control the equipment A and the equipment C through the certificates of the equipment A and the equipment C, and when the user wants to enable the equipment A to control the equipment C produced by the same manufacturer A to be linked, the method is implemented according to the following steps, and referring to FIG. 5:
s1, a user sends a verification-capable credential VPc subjected to simplifying processing of a service credential VCc of equipment C to equipment A;
s2, the equipment A sends a certification VPc capable of verifying the equipment C to the equipment C;
s3, confirming that the equipment C is a product of the same manufacturer through VPc;
s4, establishing a link between the third equipment and the first equipment;
s5, the equipment A can control the equipment C and send a linkage instruction to the equipment C.
3. Linkage between devices of different manufacturers:
The user purchases the service credential VCa of the equipment a and the service credential VCb of the equipment b, and the user can directly control the equipment a and the equipment b through the credentials of the equipment a and the equipment b, and when the user wants to let the equipment a control the equipment b to be linked, the following steps are needed, see fig. 6:
s1, a user sends a verification-capable credential VPb subjected to simplifying processing to a service credential VCb of second to equipment A;
S2, the equipment A sends a verifiable credential VPb of the equipment B to the equipment B;
s3, verifying the VPb by the equipment B to a manufacturer B;
S4, the manufacturer B verifies and passes;
s5, establishing a link between the equipment B and the equipment A;
s6, the equipment A can control the equipment B and send linkage instructions to the equipment B.
Finally, it should be noted that the above examples are only preferred embodiments and are not intended to limit the invention. It should be noted that modifications, equivalents, improvements and others may be made by those skilled in the art without departing from the spirit of the invention and the scope of the claims, and are intended to be included within the scope of the invention.
Claims (3)
1. The internet of things equipment cross-domain authentication method based on the distributed digital identity is characterized by comprising the following steps of:
when the Internet of things equipment produced by each manufacturer leaves a factory, applying for creating a DID to the manufacturer of the Internet of things equipment, and issuing a certificate to the corresponding Internet of things equipment by the manufacturer;
after a user purchases the Internet of things equipment, acquiring a certificate of the equipment from a manufacturer of the corresponding equipment;
The user obtains the authority of operating the corresponding equipment according to the certificate of the corresponding equipment;
When a user wants to control another internet of things device c produced by different manufacturers to link through a certain internet of things device a, the following steps are executed:
s1, a user sends a certification which can be verified after the certification of c is subjected to simplifying treatment to equipment a;
s2, the equipment a sends the verifiable certificate of the equipment c to the equipment c;
s3, the equipment c verifies the verifiable certificate to a manufacturer of the equipment c;
s4, the manufacturer of the equipment c verifies the verifiable evidence;
s5, establishing a link between the equipment c and the equipment a;
S6, the user can control the equipment c through the equipment a and send linkage instructions to the equipment c.
2. The internet of things device cross-domain authentication method based on distributed digital identity as claimed in claim 1, wherein the method further comprises:
when a user wants to control another internet of things device b produced by the same manufacturer to link through one internet of things device a, the following steps are executed:
S1, a user sends a certification which can be verified after the certification of the equipment b is subjected to simplifying treatment to the equipment a;
s2, the equipment a sends the verifiable certificate of the equipment b to the equipment b;
s3, the equipment b confirms that the equipment a is the same manufacturer product through the verifiable certificate;
s4, establishing a link between the equipment b and the equipment a;
S5, the user can control the equipment b through the equipment a and send linkage instructions to the equipment b.
3. The internet of things device cross-domain authentication method based on distributed digital identity according to claim 1 or 2, wherein the credentials include factory information and device owner information of the corresponding internet of things device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211639836.7A CN115913771B (en) | 2022-12-20 | 2022-12-20 | Internet of things equipment cross-domain authentication method based on distributed digital identity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211639836.7A CN115913771B (en) | 2022-12-20 | 2022-12-20 | Internet of things equipment cross-domain authentication method based on distributed digital identity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115913771A CN115913771A (en) | 2023-04-04 |
| CN115913771B true CN115913771B (en) | 2024-04-26 |
Family
ID=86492438
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211639836.7A Active CN115913771B (en) | 2022-12-20 | 2022-12-20 | Internet of things equipment cross-domain authentication method based on distributed digital identity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913771B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7676829B1 (en) * | 2001-10-30 | 2010-03-09 | Microsoft Corporation | Multiple credentials in a distributed system |
| CN111447187A (en) * | 2020-03-19 | 2020-07-24 | 重庆邮电大学 | Cross-domain authentication method for heterogeneous Internet of things |
| CN111865917A (en) * | 2020-06-16 | 2020-10-30 | 郑州信大捷安信息技术股份有限公司 | Block chain-based safe delivery method, system and medium for Internet of things equipment |
| CN114091009A (en) * | 2021-11-19 | 2022-02-25 | 四川启睿克科技有限公司 | Method for establishing secure link by using distributed identity |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3718288A1 (en) * | 2018-01-03 | 2020-10-07 | Convida Wireless, LLC | Cross-domain discovery between service layer systems and web of things systems |
| US20210374730A1 (en) * | 2020-05-29 | 2021-12-02 | EMC IP Holding Company LLC | Dcf decentralized ids and verifiable credentials for product delivery into data confidence fabrics |
-
2022
- 2022-12-20 CN CN202211639836.7A patent/CN115913771B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7676829B1 (en) * | 2001-10-30 | 2010-03-09 | Microsoft Corporation | Multiple credentials in a distributed system |
| CN111447187A (en) * | 2020-03-19 | 2020-07-24 | 重庆邮电大学 | Cross-domain authentication method for heterogeneous Internet of things |
| CN111865917A (en) * | 2020-06-16 | 2020-10-30 | 郑州信大捷安信息技术股份有限公司 | Block chain-based safe delivery method, system and medium for Internet of things equipment |
| CN114091009A (en) * | 2021-11-19 | 2022-02-25 | 四川启睿克科技有限公司 | Method for establishing secure link by using distributed identity |
Non-Patent Citations (1)
| Title |
|---|
| HIBE-MPJ:一种基于HIBE的物联网环境下跨域通信机制研究;季一木;陆毅成;刘尚东;王舒;唐玟;肖小英;何亦拓;王凯瑞;吴海丰;;南京邮电大学学报(自然科学版)(第04期);5-14 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115913771A (en) | 2023-04-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200396214A1 (en) | Trusted communication session and content delivery | |
| US10637661B2 (en) | System for user-friendly access control setup using a protected setup | |
| CN105472192B (en) | The smart machine, terminal device and method realizing control security certificate and sharing | |
| US7181620B1 (en) | Method and apparatus providing secure initialization of network devices using a cryptographic key distribution approach | |
| US7526640B2 (en) | System and method for automatic negotiation of a security protocol | |
| US7552468B2 (en) | Techniques for dynamically establishing and managing authentication and trust relationships | |
| US20070130617A1 (en) | System and method for establishing temporary and permanent credentials for secure online commerce | |
| US20220029831A1 (en) | Device to device authentication method using blockchain | |
| CN102957584B (en) | Home network equipment management method, control equipment and home network equipment | |
| WO2008111494A1 (en) | Method, apparatus and system for distributed delegation and verification | |
| AU2019212026B2 (en) | Apparatus, methods and articles of manufacture for messaging using message level security | |
| EP1560394B1 (en) | Techniques for dynamically establishing and managing authentication and trust relationships | |
| WO2022116734A1 (en) | Digital certificate issuing method and apparatus, terminal entity, and system | |
| KR100853182B1 (en) | Symmetric key-based authentication method and apparatus in multi domains | |
| US11838323B2 (en) | Server-initiated secure sessions | |
| JP2003345742A (en) | METHOD FOR MANAGING CUG (Closed User Group), CUG PROVIDING SYSTEM, CUG PROVIDING PROGRAM AND STORAGE MEDIUM WITH CUG PROVIDING PROGRAM STORED THEREIN | |
| CN115913771B (en) | Internet of things equipment cross-domain authentication method based on distributed digital identity | |
| CN113612747A (en) | Method and device for setting equipment control authority, computer equipment and storage medium | |
| CN117057921A (en) | Method, device and system for transaction of calculation force, electronic equipment and storage medium | |
| KR20170090008A (en) | METHOD AND APPARATUS FOR PLUG-IN DEVICE AUTHENTICATION IN AN OPEN-SOURCE PLUG-AND-PLAY(PnP) PLATFORM OF A CAR | |
| US20230118344A1 (en) | Baseboard management controller group administration | |
| Sobh et al. | Performance improvements on the network security protocols | |
| CN117014484A (en) | Cross-region console interconnection method, device, equipment and storage medium | |
| CN114302392A (en) | Communication method, device and computer storage medium based on key agreement group | |
| CHENG et al. | Cross-domain authentication mechanism design and research based on the mobile internet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |