CN115967623A

CN115967623A - Device management method, device, electronic device and storage medium

Info

Publication number: CN115967623A
Application number: CN202111174947.0A
Authority: CN
Inventors: 东昀; 姚佳良; 贾倩; 卿青海
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Hangzhou Information Technology Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Hangzhou Information Technology Co Ltd
Priority date: 2021-10-09
Filing date: 2021-10-09
Publication date: 2023-04-14

Abstract

The application discloses a device management method and device, electronic equipment and a storage medium. The method comprises the following steps: a first control point acquires a first request; the first request carries at least a first signature; the first request is for requesting management of a device in a first network; the first network includes a plurality of devices; the plurality of devices are capable of communicating based on a universal plug and play (UPnP) protocol; the first control point is a device of the plurality of devices, the computing capacity of which meets a first condition; calling a first node of a second network to verify the validity of the first signature according to a preset endorsement policy through an intelligent contract to obtain a first verification result; and executing the management operation corresponding to the first request under the condition that the validity of the first verification result representing the first signature passes verification.

Description

Device management method, device, electronic device and storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a device management method and apparatus, an electronic device, and a storage medium.

Background

In recent years, the number of smart home devices in a digital home network has increased greatly, and the smart home devices are usually accessed to the digital home network based on a Universal Plug and Play (UPnP) technology, so as to implement Plug and Play, zero configuration, network transparency, and the like of the smart home devices.

However, the UPnP technology has a large security risk, and the related art does not have a sufficient requirement on the security of the technology, so that the digital home network has a large security risk.

Disclosure of Invention

In order to solve the related technical problems, embodiments of the present application provide a device management method, an apparatus, an electronic device, and a storage medium.

The technical scheme of the embodiment of the application is realized as follows:

the embodiment of the application provides a device management method, which is applied to a first control point and comprises the following steps:

acquiring a first request; the first request carries at least a first signature; the first request is for requesting management of a device in a first network; the first network includes a plurality of devices; the plurality of devices can communicate with each other based on a UPnP protocol; the first control point is a device of the plurality of devices, the computing capacity of which meets a first condition;

calling a first node of a second network to verify the validity of the first signature according to a preset endorsement policy through an intelligent contract to obtain a first verification result;

and executing the management operation corresponding to the first request under the condition that the validity of the first verification result representing the first signature is verified.

In the above solution, the first request is sent by the first terminal; the first signature characterizes an identity of an operator of the first terminal; the verifying the validity of the first signature by the first node calling the second network according to a preset endorsement policy comprises:

sending a second request to the first node; the second request is used for requesting to verify whether the operator of the first terminal is registered in the second network or not and requesting to verify whether the operator of the first terminal has the authority of executing the management operation corresponding to the first request or not;

and receiving a first verification result returned by the first node for the second request.

In the above-mentioned scheme, the first step of the method,

under the condition that the operator of the first terminal is registered in the second network and the operator of the first terminal has the authority of executing the management operation corresponding to the first request, the validity of the first signature represented by the first verification result is verified;

and when the operator of the first terminal is not registered in the second network or does not have the authority to execute the management operation corresponding to the first request, the first verification result represents that the validity of the first signature is not verified.

In the above scheme, the method further comprises:

under the condition that the first verification result represents that the validity of the first signature is not verified, sending first information to the first terminal; the first information is used for prompting an operator of the first terminal to register to the second network and/or obtaining the authority for executing the management operation corresponding to the first request.

In the foregoing solution, the first request is specifically configured to request to control a first device to access the first network; the executing the management operation corresponding to the first request comprises:

calling a second node of the second network to verify the identity of the first equipment through the intelligent contract to obtain a second verification result;

and controlling the first equipment to access the first network under the condition that the second verification result represents that the identity of the first equipment is verified.

In the above solution, the invoking the second node of the second network to verify the identity of the first device includes:

sending a third request to the second node; the third request is for requesting verification whether the first device is registered in the second network;

and receiving a second verification result returned by the second node for the third request.

In the above scheme, the method further comprises:

and controlling the first equipment to register to the second network under the condition that the second verification result indicates that the identity of the first equipment is not verified.

In the foregoing solution, the controlling the first device to register to the second network includes:

sending a fourth request to the first device; the fourth request is used for requesting the first device to send a fifth request to the first server; the fifth request is to request registration of the first device to the second network.

In the above scheme, the first request is specifically configured to request that the second device use the first capability; the second device does not have the first capability; the executing the management operation corresponding to the first request comprises:

judging whether a third device with the first capability exists in the first network, and judging whether the third device can provide the first capability according to the state of the third device to obtain a judgment result;

and controlling the second device to use the first capability when the judgment result represents that the third device exists in the first network and the third device can provide the first capability.

In the foregoing solution, the controlling the second device to use the first capability includes:

and controlling the second equipment and the third equipment to transmit the resource corresponding to the first capability.

In the above scheme, the controlling the second device and the third device to transmit the resource corresponding to the first capability includes:

and controlling the second equipment and the third equipment to carry out encrypted transmission of the resource corresponding to the first capability.

In the foregoing solution, the method further includes:

acquiring operation information of at least one device in the first network;

and storing the acquired running information to a second server based on an Inter-planet File System (IPFS) protocol.

The embodiment of the present application further provides an apparatus management device, which is disposed on the first control point, and includes:

an acquisition unit configured to acquire a first request; the first request carries at least a first signature; the first request is for requesting management of a device in a first network; the first network includes a plurality of devices; the plurality of devices can communicate with each other based on a UPnP protocol; the first control point is a device of the plurality of devices whose computing power meets a first condition;

the first processing unit is used for calling a first node of a second network to verify the validity of the first signature according to a preset endorsement policy through an intelligent contract to obtain a first verification result;

and the second processing unit is used for executing the management operation corresponding to the first request under the condition that the validity of the first signature represented by the first verification result passes the verification.

An embodiment of the present application further provides an electronic device, including: a processor and a memory for storing a computer program operable on the processor, wherein the processor is operable to perform the steps of any of the methods described above when executing the computer program.

Embodiments of the present application also provide a storage medium having a computer program stored thereon, where the computer program is executed by a processor to implement the steps of any one of the above methods.

According to the device management method and device, the electronic device and the storage medium, the first control point obtains the first request; the first request carries at least a first signature; the first request is for requesting management of a device in a first network; the first network includes a plurality of devices; the plurality of devices can communicate based on a UPnP protocol; the first control point is a device of the plurality of devices whose computing power meets a first condition; calling a first node of a second network to verify the validity of the first signature according to a preset endorsement policy through an intelligent contract to obtain a first verification result; and executing the management operation corresponding to the first request under the condition that the validity of the first verification result representing the first signature is verified. According to the scheme of the embodiment of the application, when the device in the UPnP network (namely, a first network constructed based on the UPnP technology) is managed, the node of a second network is called through an intelligent contract to verify the validity of a signature carried by a device management request according to a preset endorsement policy, and corresponding management operation is executed under the condition that the validity of the signature passes the verification, in other words, the safety of the device management operation on the UPnP network is guaranteed by using a block chain network (namely, the second network); therefore, the safety risk of the UPnP network can be reduced, the data safety of the UPnP network is guaranteed, and the safety of the digital home network can be improved.

Drawings

Fig. 1 is a schematic view of a scenario in which a hacker invades an intelligent home device to perform malicious attack in the related art;

fig. 2 is a schematic flowchart of a device management method according to an embodiment of the present application;

fig. 3 is a schematic diagram of an intelligent home device accessing a home capability sharing system according to an embodiment of the present application;

fig. 4 is a schematic topology diagram of a user module (i.e., a client-oriented module in the system) in the household capability sharing system according to the application embodiment of the present application;

FIG. 5 is a flowchart illustrating an exemplary embodiment of a blockchain network;

fig. 6 is a schematic structural diagram of a device management apparatus according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The present application will be described in further detail with reference to the drawings and examples.

In the related art, a smart home management and control system (also referred to as a centralized system) with a centralized architecture is generally used to manage smart home devices in a digital home network, and it is assumed that a central node (i.e., a server) and the smart home devices communicate with each other through a secure channel, in other words, the central node manages the smart home devices in the digital home network without considering security of communication between the central node and the smart home devices.

Meanwhile, various intelligent household devices in the digital home network respectively provide respective abilities, and the abilities of the various intelligent household devices cannot be shared; barriers still exist among the intelligent household devices with the same functions, seamless switching cannot be achieved among different display devices, different loudspeaker devices, different computing components of the devices and the like, and maximum utilization of the intelligent household devices cannot be achieved.

In addition, the smart home devices in the digital home network can generate, process and transmit a large amount of sensitive data (such as user privacy data), and because the process that the smart home devices access the digital home network based on the UPnP technology lacks an authentication mechanism for the smart home devices, malicious devices outside the digital home network can easily join the digital home network in a port mapping manner, thereby bringing potential safety hazards to data such as user privacy and the like; meanwhile, identity information of the intelligent household equipment can be easily cloned after being captured by a hacker, and after the cloned illegal equipment is connected with the digital home network and the intelligent household equipment, data in the digital home network and the intelligent household equipment can be stolen, so that privacy of a user can be revealed. In addition, some malicious programs (such as Mirai, gafgyt, doflo, tsunami, hajime, mrBlack, and the like) can invade and control the smart home devices through ways such as bugs, brute force cracking, and the like, and after the smart home devices are invaded and controlled, security threats and risks exist, such as user information and device data leakage, hardware device control and damage, being used for Distributed Denial of Service (DDoS) attack or other malicious attack behaviors, and attacking network devices such as routers and the like so as to steal user internet data. For example, as shown in fig. 1, a hacker (i.e., an attacker, which may also be referred to as a master control end) may identify an Internet Protocol (IP) address of an intelligent home device in a digital home network, and launch a DDoS attack to a target device through a corresponding intelligent home device (i.e., a controlled end, which may also be referred to as a broiler chicken) by using the identified IP address, which may cause interruption of corresponding intelligent home service and leakage of user privacy.

In summary, in the related art, the following problems exist in the manner of managing smart home devices in a digital home network:

1) Management and maintenance issues: the intelligent home equipment in the digital home network is managed by using the centralized system, and when the number of the intelligent home equipment is increased, the management and maintenance pressure of the centralized system is increased;

2) Single point trust problem: the centralized system carries out unified control and central arbitration by a central node, and when a host (namely the central node) fails or is attacked, the whole system can stop working;

3) Data transmission is not encrypted, so that the private data of a user is easily leaked;

4) The remote control command lacks reinforcement authorization, and security risks such as illegal invasion, hijacking application and the like exist;

5) The hardware equipment has a debugging interface, and an operating system or a third-party library with security holes can be used;

6) The process that the intelligent home equipment is accessed to the digital home network based on the UPnP technology lacks an authentication mechanism aiming at the intelligent home equipment, and potential safety hazards that malicious equipment is accessed to the digital home network exist;

7) The intelligent home devices cannot share the capacity, so that the maximum utilization of the intelligent home capacity cannot be realized.

Based on this, in various embodiments of the present application, when performing management operation on a device in a UPnP network, a node of a block chain network is invoked through an intelligent contract to verify validity of a signature carried in a device management request according to a preset endorsement policy, and corresponding management operation is performed when the validity of the signature passes the verification, in other words, the block chain network is used to ensure security of the device management operation on the UPnP network; therefore, the safety risk of the UPnP network can be reduced, the data safety of the UPnP network is guaranteed, and the safety of the digital home network can be improved.

Meanwhile, in various embodiments of the present application, decentralized authentication and authorization is achieved based on a blockchain network; therefore, the method can avoid depending on the central node, and solve the single-point trust problem of the centralized system.

In addition, in various embodiments of the present application, the management operations performed on the devices in the UPnP network include a capability sharing operation between the devices, in other words, based on the UPnP protocol and the blockchain network, capability sharing between the devices is achieved, and transmitted data can be encrypted; therefore, the maximum utilization of the equipment capacity can be realized on the premise of guaranteeing the data safety.

An embodiment of the present application provides an apparatus management method, which is applied to a first control point, and as shown in fig. 2, the method includes:

step 201: acquiring a first request; the first request carries at least a first signature;

here, the first request is for requesting management of a device in a first network; the first network includes a plurality of devices; the plurality of devices can communicate with each other based on a UPnP protocol; the first control point is a device of the plurality of devices whose computing power meets a first condition;

step 202: calling a first node of a second network to verify the validity of the first signature according to a preset endorsement policy through an intelligent contract to obtain a first verification result;

step 203: and executing the management operation corresponding to the first request under the condition that the validity of the first verification result representing the first signature passes verification.

In practical applications, the first network may also be referred to as a UPnP network or the like, and the second network may also be referred to as a block chain network or the like.

In practical application, the multiple devices included in the first network may be smart devices such as a desktop computer, a notebook computer, a tablet computer, and a mobile phone; or intelligent home equipment such as an intelligent television, an intelligent sound box, an air conditioner, a refrigerator, a sweeper and the like.

In practical application, the first control point may be any device in the first network that meets the first condition, and the first condition may be set according to a requirement. Illustratively, the first condition may characterize the device as having greater than or equal to 70% of its idle computing resources. It will be appreciated that the first network may comprise a plurality of control points.

In step 201, during actual application, the first request may specifically be used to request one of the following (that is, the management operation corresponding to the first request may include one of the following):

controlling a first device to access the first network;

controlling the second device to use the first capability of the third device, namely realizing capability sharing between the second device and the third device;

operating a fourth device; such as adjusting the temperature of an air conditioner, starting a sweeper, etc.

Here, the capabilities of the device may include video capabilities, audio capabilities, microphone capabilities, camera capabilities, and the like; the capability sharing may be understood as resource sharing, i.e. file sharing.

In actual application, a user may initiate, through a terminal, a management operation for a device in the first network, that is, the first request may be sent by the first terminal; the first control point may directly receive the first request sent by the first terminal, or may obtain the first request from another device (e.g., a server), that is, receive the first request of the first terminal forwarded by the other device.

In step 202, the intelligent contract may be set according to requirements when actually applied, and the intelligent contract may also be referred to as Chain Code (english may be expressed as Chain-Code, and may be abbreviated as CC).

In actual application, the first signature may represent an identity of a user, that is, an identity of an operator of the first terminal; the verification of the validity of the first signature may be understood as verifying the validity of the identity of the operator of the first terminal, that is, determining whether the operator of the first terminal has the authority to perform the management operation corresponding to the first request.

Based on this, in an embodiment, the verifying, by the first node invoking the second network, the validity of the first signature according to a preset endorsement policy may include:

Here, the verifying whether the operator of the first terminal is registered in the second network may be understood as determining whether registration information corresponding to the first terminal, such as a public key corresponding to the first terminal, is stored in the second network.

In practical application, during a process that an operator of the first terminal registers in the second network, the first terminal and the second network may negotiate to determine and store a first private key and a first public key, the first terminal may generate the first signature using the first private key, and the second network may verify the first signature using the first public key, that is, the first node may verify validity of the first signature using the first public key according to a preset endorsement policy.

Specifically, after receiving the second request, the first node may verify whether the operator of the first terminal is registered in the second network by determining whether the second network stores a first public key capable of verifying the first signature, and determine whether the operator of the first terminal has a right to execute the management operation corresponding to the first request according to a preset endorsement policy. Here, in a case where the second network stores the first public key, it may be determined that the operator of the first terminal has been registered in the second network; in a case where the second network does not store the first public key, it may be determined that the operator of the first terminal is not registered in the second network.

Wherein, in a case that the operator of the first terminal is registered in the second network and the operator of the first terminal has the authority to execute the management operation corresponding to the first request, the validity of the first signature represented by the first verification result is verified;

and in the case that the operator of the first terminal is not registered in the second network or in the case that the operator of the first terminal does not have the authority to execute the management operation corresponding to the first request, the first verification result represents that the validity of the first signature is not verified.

In practical application, the endorsement policy may be preset according to requirements, and the embodiment of the present application does not limit this.

In practical application, the manner in which the first terminal and the second network determine the first private key and the first public key may be set as required. Illustratively, a Subscriber Identity Module (SIM) card serial number of the first terminal may be directly determined as the first public key, and the first private key may be generated by using an SM9 algorithm according to the SIM card serial number of the first terminal.

In actual application, when the validity of the first signature is not verified, the first control point may prompt an operator of the first terminal to register in the second network, and/or obtain a right to execute a management operation corresponding to the first request.

Based on this, in an embodiment, the method may further include:

under the condition that the first verification result represents that the validity of the first signature is not verified, sending first information to the first terminal; the first information is used for prompting an operator of the first terminal to register in the second network and/or obtaining the authority for executing the management operation corresponding to the first request.

In practical application, the manner in which the operator of the first terminal obtains the authority to execute the management operation corresponding to the first request may be set according to a requirement, which is not limited in the embodiment of the present application.

In step 203, in actual application, when the first request is specifically used to request a first device to access the first network, and when a management operation corresponding to the first request is executed, in order to further ensure data security of the UPnP network, the first control point needs to perform identity authentication on the first device, so as to determine that the first device is not a malicious device.

Based on this, in an embodiment, in a case that the first request is specifically used for requesting to control the first device to access the first network, the executing the management operation corresponding to the first request may include:

In actual application, the verifying the identity of the first device may be understood as verifying whether the first device is registered in the second network, that is, determining whether registration information corresponding to the first device, such as a name of the first device, a device Identifier (ID), a device type (such as a smart sound box, a camera, and the like), a manufacturer (i.e., a manufacturer), and the like, is stored in the second network.

Based on this, in an embodiment, the invoking the second node of the second network to verify the identity of the first device may include:

Here, in a case where the first device has been registered in the second network, the second authentication result represents that the identity of the first device is authenticated; the second authentication result characterizes that the identity of the first device is not authenticated in case the first device is not registered in the second network.

In practical application, the first control point needs to control the first device to register to the second network when the identity of the first device is not verified.

Based on this, in an embodiment, the method may further include:

In an embodiment, the controlling the first device to register with the second network may include:

In actual application, after receiving the fourth request sent by the first control point, the first device may send the fifth request to the first server; after receiving the fifth request, the first server may determine, based on a vendor ID carried in the fifth request, whether a vendor corresponding to the first device passes through authentication of a Certificate Authority (CA), that is, determine whether the vendor obtains a Certificate issued by the CA; when the vendor corresponding to the first device passes the authentication of the CA organization, the first server may further verify the validity of the first device, that is, determine whether the device information acquired from the first device is consistent with the related information (such as the name, device ID, device type, and the like) of the first device acquired from the vendor corresponding to the first device; in a case where the device information acquired from the first device is identical to the related information of the first device acquired from the vendor corresponding to the first device, that is, in a case where the first device passes the validity verification, the first server may register the first device to the second network, that is, store the registration information of the first device to the second network.

In actual application, when the first request is specifically used for requesting to control a second device to use a first capability, and when a management operation corresponding to the first request is executed, it is required to first determine whether a third device having the first capability exists in the first network, and determine whether the third device can currently provide the first capability according to a state of the third device.

Based on this, in an embodiment, when the first request is specifically used to request that the second device be controlled to use the first capability, the executing the management operation corresponding to the first request may include:

Here, the capability may also be understood as a service, and the determining whether the third device is capable of providing the first capability may be understood as determining whether the third device is capable of providing a corresponding service. In practical applications, the third device cannot provide the first capability in case that the third device fails, the third device is using the first capability (i.e. the third device is providing the corresponding service), and the like.

In an embodiment, the controlling the second device to use the first capability may include:

In actual application, when controlling the second device and the third device to transmit the resource corresponding to the first capability, the first control point may obtain, from the third device, a resource list corresponding to the first capability, where the resource list may include related information (such as names, file types, creation dates, file sizes, and the like) of multiple files corresponding to the first capability and a transmission protocol supported by each file; meanwhile, the first control point may further obtain a transmission protocol and a resource format supported by the second device, determine a target transmission protocol and a target transmission format that are simultaneously supported by the second device and the third device according to the resource list corresponding to the first capability, the transmission protocol supported by the second device, and the resource format supported by the second device, and notify the target transmission protocol and the target transmission format to the second device and the third device, so as to control the second device and the third device to transmit the resource corresponding to the first capability based on the target transmission protocol and the target transmission format.

In actual application, in order to further ensure data security of the UPnP network, the first control point may control the second device and the third device to perform encrypted transmission of the resource corresponding to the first capability.

Based on this, in an embodiment, the controlling the second device and the third device to perform transmission of the resource corresponding to the first capability may include:

In practical application, in the process of performing encryption transmission on the resource corresponding to the first capability by the second device and the third device, a manner in which the third device encrypts the corresponding resource and a manner in which the second device decrypts the corresponding resource may be set according to requirements. For example, the third device may encrypt the corresponding resource using the first public key, and the second device may decrypt the corresponding resource using the first private key.

In practical application, in order to further ensure data security of the UPnP network, the first control point may store operation information of the device in the first network based on an IPFS protocol.

Based on this, in an embodiment, the method may further include:

acquiring operation information of at least one device in the first network;

and storing the acquired running information to a second server based on the IPFS protocol.

Here, the operation information of the device may include an operating time, power consumption, system version, and the like of the device.

In actual application, in order to further ensure data security of the UPnP network, when the first control point stores the acquired operation information in the second server, a preset algorithm may be used to encrypt the operation information; the preset algorithm can be set according to requirements.

According to the device management method and device, the electronic device and the storage medium, the first control point obtains the first request; the first request carries at least a first signature; the first request is for requesting management of a device in a first network; the first network includes a plurality of devices; the plurality of devices can communicate with each other based on a UPnP protocol; the first control point is a device of the plurality of devices, the computing capacity of which meets a first condition; calling a first node of a second network to verify the validity of the first signature according to a preset endorsement policy through an intelligent contract to obtain a first verification result; and executing the management operation corresponding to the first request under the condition that the validity of the first verification result representing the first signature is verified. According to the scheme of the embodiment of the application, when the management operation is carried out on the equipment in the UPnP network, the validity of the signature carried by the equipment management request is verified according to the preset endorsement strategy by calling the node of the block chain network through the intelligent contract, and the corresponding management operation is executed under the condition that the validity of the signature passes the verification, namely, the block chain network is utilized to guarantee the safety of the equipment management operation carried out on the UPnP network; therefore, the safety risk of the UPnP network can be reduced, the data safety of the UPnP network is guaranteed, and the safety of the digital home network can be improved.

In addition, in various embodiments of the present application, the management operations performed for the devices in the UPnP network include a capability sharing operation between the devices, in other words, based on the UPnP protocol and the blockchain network, capability sharing between the devices is achieved, and transmitted data may be encrypted; therefore, the maximum utilization of the equipment capacity can be realized on the premise of guaranteeing the data safety.

The present application will be described in further detail with reference to the following application examples.

The present application embodiment provides a trusted smart home capability sharing system based on a UPnP protocol (hereinafter, referred to as a home capability sharing system for short), including: a UPnP network (i.e., the first network), a blockchain network (i.e., the second network), an IPFS storage device (i.e., the second server), a device authentication center (i.e., the first server), a user management module, a home network control center, a device authentication module, and an authentication management module. The home capability sharing system constructs a capability resource pool (namely the UPnP network) of the intelligent home based on the UPnP protocol, and realizes seamless sharing of device capabilities (namely resources) through the UPnP protocol (namely, capability sharing is realized on the premise of not needing a device driver), so that distributed sharing of the capabilities of the intelligent home devices is realized. Meanwhile, the equipment accessed to the UPnP network is registered through an authentication mode of Public Key Infrastructure (PKI), and the registration information of the equipment is stored by using a block chain network, so that the safe access of the intelligent equipment is realized. The block chain network is specifically used for realizing user identity authentication, equipment identity authentication and equipment management (namely equipment control), and the home capability sharing system stores encrypted running information and user data of equipment in the UPnP network by using IPFS storage equipment due to the fact that the block chain storage cost is high; and the safety and the privacy of the data of the household capacity sharing system are ensured through a block chain network and IPFS storage equipment.

In this application embodiment, as shown in fig. 3, a work flow of the home capability sharing system based on the UPnP network includes: device authentication, device addressing, service discovery (i.e., device discovery), device description, device control, device events, and device exposure. Wherein, in order to prevent the malicious device from accessing the home network, before the device is addressed, i.e. before the device is allocated with an Internet Protocol (IP) address by using a Dynamic Host Configuration Protocol (DHCP), the home capability sharing system needs to perform device authentication, and can also be understood as user authorization, i.e. determining that the access device is not the malicious device and giving the device access right to the UPnP network (i.e. registering the device to the blockchain network), authorizing device information (i.e. registering information of the device) is placed on the blockchain network, data generated in the device operation process is stored by an IPFS storage device,

in this application embodiment, a plurality of modules included in the home capability sharing system may be divided into an equipment-oriented module and a client-oriented module (which may also be referred to as a user module); wherein the device-oriented module comprises: the system comprises a UPnP network, an equipment authentication center, a user management module, a home network control center and an equipment authentication module; as shown in fig. 4, the client-oriented module includes: the system comprises a block chain network, an IPFS storage device and an authentication management module.

The function of the home capability sharing system will be described in detail below.

Firstly, when a user uses the home capability sharing system, the user needs to register to the home capability sharing system.

Specifically, a user logs in the home capability sharing system through the SIM card application of the client, in order to reduce the difficulty of user registration and improve the security of user identity information in a home network, the home capability sharing system uses an SM9 algorithm as an encryption algorithm, and compared with a traditional PKI algorithm, the SM9 algorithm does not need to apply for a digital certificate and is suitable for security guarantee of various emerging applications of internet application. The household capacity sharing system uses a user management module to obtain the SIM card serial number of a user as the public key of a home network, stores the public key into a block chain network, and uses the secret key to encrypt data, authenticate user identity (namely, a block chain intelligent contract utilizes the public key to verify and sign to determine the user identity), encrypt the data channel of the system and the SIM card and the like. Meanwhile, the card application generates a private key by using an SM9 algorithm according to the SIM card serial number of the user, and stores the private key at the SIM card side.

In actual application, the home capability sharing system can be oriented to multiple families, and when a first user in each family logs in the home capability sharing system, the first user logs in the home capability sharing system through SIM card application; after the home ability sharing system confirms the user, the SIM card information is inquired, the information such as the empty card serial number of the SIM card is stored in the block chain, and the user authority is set as a super manager. When other users and visitors join the home network, the registration is carried out after the authorization of the super manager, and only the super manager or the user who transfers the identity of the super manager can delete the home user or the visitor.

Secondly, the home capability sharing system needs to establish a UPnP network, namely, the intelligent device is accessed to a data home network; the process of accessing the intelligent device to the data home network comprises the following steps: a manufacturer access process, an intelligent device registration process and an intelligent device access process.

The manufacturer access process comprises the following steps:

step 1: an intelligent home equipment manufacturer sends an access request (namely a registration request) to a home network control center; then executing step 2;

and 2, step: the home network control center verifies the manufacturer certificate to the CA organization; if the CA organization does not have the manufacturer certificate, determining that the corresponding manufacturer does not pass the certificate verification, and executing the step 3; if the certificate verification is passed (i.e., the manufacturer certificate exists in the CA organization), the manufacturer is added to the Certificate Trust List (CTL), step 5 is performed;

and step 3: a manufacturer applies for a certificate to a CA organization; then executing step 4;

and 4, step 4: the CA organization determines whether to issue a certificate to the manufacturer based on the authenticity of the identity of the manufacturer, and if the manufacturer passes the authenticity verification and successfully issues the certificate, the step 2 is executed; otherwise, the registration fails, namely the access fails;

and 5: the manufacturer information completes the registration process (i.e. the manufacturer information is saved in the blockchain network) on the home network control center, and the manufacturer registration is successful.

The intelligent equipment registration process comprises the following steps:

step A: the intelligent equipment initiates a registration request (namely a fifth request) to the equipment authentication center; then executing step B;

here, the registration request may contain device information such as a vendor ID, a device ID, and the like;

and B: the equipment authentication center checks whether the home network control center has accessed the manufacturer according to the manufacturer ID; if not, executing step C; if the access is already carried out, executing the step D;

and C: a manufacturer initiates a registration request to a home network control center; if the registration is successful, executing the step D; otherwise, the equipment registration fails;

step D: the home network control center acquires equipment information from a manufacturer according to the equipment ID, and verifies the validity of the equipment identity by comparing whether the equipment information acquired from the manufacturer is consistent with the equipment information contained in the registration request; if the equipment passes the validity verification, executing the step E; otherwise, the equipment registration fails;

and E, step E: the home network control center stores the equipment information to the block chain network, and the equipment registration is successful.

The intelligent equipment access process comprises the following steps:

step F: the intelligent equipment applies for joining (namely accessing) the digital home and sends an access request to the equipment authentication center; after receiving the request, the equipment authentication center checks whether the equipment is registered; if not, executing step G; if registered, executing step H;

g: the intelligent equipment initiates a registration request to an equipment authentication module; if the registration is successful, executing step H; if the registration is not successful, executing the step I;

step H: the equipment authentication module inquires a block chain network through an intelligent contract and verifies the equipment identity; if the equipment passes the identity authentication, executing the step J; if the equipment does not pass the identity authentication, executing the step I;

step I: if the equipment fails to pass the identity authentication, the access to the digital home fails;

step J: the device successfully accesses to the intelligent home network (namely, a digital home) through verification of authenticity (the device is registered, and the information of the device is stored in the blockchain network) and legality (the manufacturer of the device is legal), generates a unique public key and private key pair of the device through an SM9 algorithm, and stores the private key into a hardware storage module of the device.

Third, the home capability sharing system may perform user authentication when a user initiates an operation proposal based on a blockchain network. Here, the authentication management module of the home capability sharing system is responsible for providing identity management for all nodes in the blockchain network. When the block link network is initialized, all nodes need to be registered and verified in the authentication management module, so that legal identities can be obtained and become legal nodes in the block link network; the nodes with different identities have different permissions, for example, a service node deployed with an intelligent contract can complete endorsement of an operation proposal according to an endorsement policy, and judge whether a user initiating the operation proposal has the permission of the operation.

Specifically, as shown in fig. 5, in a process that the home capability sharing system performs user authentication when a user initiates an operation proposal based on a blockchain network, a workflow of the blockchain network may include the following steps:

step K: a user logs in a digital home network (namely logs in the home capability sharing system), a blockchain network authenticates the identity of the user, and whether the user is legal (namely whether the user is registered) is judged; if the user passes the validity verification, the login is successful, and the step L is executed; otherwise, the user needs to log in again;

step L: a user initiates an operation proposal, such as storing specific information, viewing specific information, modifying authority strategy, deploying link codes and the like; then executing step M;

step M: a service node with an intelligent contract deployed in a block chain network completes endorsement of an operation proposal according to an endorsement strategy and judges whether the user has the operation permission; then executing the step N;

and step N: if the user has the authority of the operation, executing the operation; otherwise, returning the user authority information and the prompt information (namely the first information).

Fourth, the home capability sharing system can implement home capability sharing.

Specifically, the process of implementing the family capability sharing by the household capability sharing system may include the following steps:

step O: the home capability sharing system divides different capability attributes of the equipment into different types of capability pools according to the equipment description of the UPnP protocol, such as video capability, audio capability, microphone capability, camera capability and the like; then executing step P;

step P: a control point in the UPnP network performs equipment identity check and state query on a resource provider with shared capability (namely, judges whether the equipment can provide corresponding service or not); after the verification is passed, the control point calls the function, namely, a request for calling the function is sent to the resource provider; then executing step Q;

step Q: the control point obtains a shared resource list of a service provider (namely, a resource provider), wherein the list contains detailed information of files, such as file names, file types, file creation dates, resource sizes (namely, file sizes) and the like, and also contains transmission protocols supported by the resource provider for each type of resources (namely, files); meanwhile, the control point needs to acquire a transmission protocol and a resource format supported by the resource acquirer; by comparing the resource transmission protocol supported by the resource provider with the transmission protocol supported by the resource acquirer, the control point needs to select a transmission protocol and a data format both supported by the two parties to transmit the resource; then executing the step R;

step R: a user determines resources needing to be shared and starts to share the resources; then executing step S;

step S: and after the resource sharing is finished, the state of the corresponding equipment is restored to be idle, and the state restoration result is returned to the control point.

In this application embodiment, the core workflow of the home capability sharing system includes the following steps:

the method comprises the following steps: the user logs in the home capability sharing system through SIM card application, the blockchain network authenticates the user identity, and whether the user is legal (namely whether the user is registered) is checked; if the user passes the validity verification, the login is successful; otherwise, ending the flow;

step two: after login is successful, when a user needs to operate equipment (namely, control equipment) or perform capacity sharing, the SIM card application uses a private key of the user to sign an operation request (namely, the first request) and then sends the operation request to a control point; after receiving the operation request, the control point verifies the validity of the signature and executes corresponding operation under the condition that the validity of the signature passes the verification;

step three: when the control point executes corresponding operation, for example, when capacity sharing is performed, the control point instructs (i.e., controls) the corresponding intelligent device to perform encryption processing on data by using a public key of a user through an encryption system; therefore, only the device with the user private key can decrypt and check the corresponding data, and other devices (namely devices without the corresponding user private key) cannot access the specific content of the data even if intercepting the data stream;

step four: the home capability sharing system stores various information of users by using IPFS (internet protocol file system) storage equipment, and a family accessing a block chain network records information (such as working time, power consumption, system version and the like) of various intelligent home equipment on the IPFS storage equipment; the IPFS storage equipment completes the division of the permission levels according to different identities when the user accesses the network, thereby distinguishing the permissions of different home users.

The scheme provided by the application embodiment has the following advantages:

1) The equipment registration is carried out through the certification of manufacturers and CA organizations, and the legality of the equipment entering the home network and the uplink is ensured through the authorization and the uplink (namely the process of storing the user information into the block chain network) applied by the SIM card of the user; namely, the legality authentication of the equipment can be realized, so that the safe equipment access control can be realized;

2) The SIM card information (namely the SIM card serial number) with stronger safety is used for completing user registration and login, the user information is subjected to decentralized storage through a block chain network and an IPFS protocol, dependence on a central node is avoided, the privacy of a user can be contained and not stolen, and the non-tamper-proof property and the safety of data are ensured;

3) By means of decentralized authentication and authorization in a block chaining mode, dependence on a central node is avoided, attacks such as DDoS (distributed denial of service) can be effectively resisted, robustness of a system is improved, and non-tampering property and traceability of system transactions can be guaranteed.

In order to implement the method according to the embodiment of the present application, an apparatus management device is further provided in the embodiment of the present application, and as shown in fig. 6, the apparatus includes:

an obtaining unit 601, configured to obtain a first request; the first request carries at least a first signature; the first request is for requesting management of a device in a first network; the first network includes a plurality of devices; the plurality of devices can communicate with each other based on a UPnP protocol; the first control point is a device of the plurality of devices, the computing capacity of which meets a first condition;

a first processing unit 602, configured to invoke, through an intelligent contract, a first node of a second network to verify validity of the first signature according to a preset endorsement policy, so as to obtain a first verification result;

a second processing unit 603, configured to execute a management operation corresponding to the first request if the validity of the first verification result indicating that the first signature passes verification.

In an embodiment, the first request is sent by a first terminal; the first signature characterizes an identity of an operator of the first terminal; the first processing unit 602 is specifically configured to:

In an embodiment, the second processing unit 603 is further configured to send first information to the first terminal if the first verification result indicates that the validity of the first signature is not verified; the first information is used for prompting an operator of the first terminal to register in the second network and/or obtaining the authority for executing the management operation corresponding to the first request.

In an embodiment, the first request is specifically configured to request that a first device be controlled to access the first network; correspondingly, the second processing unit 603 is specifically configured to:

In an embodiment, the second processing unit 603 is further configured to:

In an embodiment, the second processing unit 603 is further configured to control the first device to register to the second network if the second verification result indicates that the identity of the first device is not verified.

In an embodiment, the second processing unit 603 is further configured to send a fourth request to the first device; the fourth request is used for requesting the first device to send a fifth request to the first server; the fifth request is to request registration of the first device to the second network.

In an embodiment, the first request is specifically for requesting to control the second device to use the first capability; the second device does not have the first capability; correspondingly, the second processing unit 603 is specifically configured to:

In an embodiment, the second processing unit 603 is further configured to control the second device and the third device to perform transmission of a resource corresponding to the first capability.

In an embodiment, the second processing unit 603 is further configured to control the second device and the third device to perform encrypted transmission on the resource corresponding to the first capability.

In an embodiment, the apparatus further comprises a third processing unit configured to:

acquiring operation information of at least one device in the first network;

In actual application, the obtaining unit 601, the first processing unit 602, the second processing unit 603, and the third processing unit may be implemented by a processor in a device management apparatus in combination with a communication interface.

It should be noted that: the device management apparatus provided in the above embodiment is only illustrated by the division of each program module when managing devices, and in practical applications, the above processing may be distributed to different program modules as needed, that is, the internal structure of the apparatus may be divided into different program modules to complete all or part of the above-described processing. In addition, the device management apparatus and the device management method provided in the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments and are not described herein again.

Based on the hardware implementation of the program module, and in order to implement the method of the embodiment of the present application, an embodiment of the present application further provides an electronic device, that is, a first control point, as shown in fig. 7, where the electronic device 700 includes:

a communication interface 701 capable of performing information interaction with other electronic devices;

the processor 702 is connected with the communication interface 701 to implement information interaction with other electronic devices, and is configured to execute the method provided by one or more technical solutions when running a computer program;

a memory 703 storing a computer program capable of running on the processor 702.

Specifically, the processor 702 is configured to:

acquiring a first request; the first request carries at least a first signature; the first request is for requesting management of a device in a first network; the first network includes a plurality of devices; the plurality of devices can communicate with each other based on a UPnP protocol; the electronic device 700 is a device of the plurality of devices whose computing power satisfies a first condition;

In an embodiment, the first request is sent by a first terminal; the first signature characterizes an identity of an operator of the first terminal; the processor 702 is specifically configured to:

In an embodiment, the processor 702 is further configured to send first information to the first terminal if the first verification result indicates that the validity of the first signature is not verified; the first information is used for prompting an operator of the first terminal to register to the second network and/or obtaining the authority for executing the management operation corresponding to the first request.

In an embodiment, the first request is specifically configured to request that a first device be controlled to access the first network; the processor 702 is further configured to:

calling a second node of the second network to verify the identity of the first equipment through an intelligent contract to obtain a second verification result;

In an embodiment, the processor 702 is further configured to:

sending a third request to the second node; the third request is to request verification that the first device is registered in the second network;

In an embodiment, the processor 702 is further configured to control the first device to register with the second network if the second verification result indicates that the identity of the first device is not verified.

In an embodiment, the processor 702 is further configured to send a fourth request to the first device; the fourth request is used for requesting the first device to send a fifth request to the first server; the fifth request is to request registration of the first device to the second network.

In an embodiment, the first request is specifically configured to request that the second device be controlled to use the first capability; the second device does not have the first capability; the processor 702 is further configured to:

judging whether a third device with the first capability exists in the first network or not, and judging whether the third device can provide the first capability or not according to the state of the third device to obtain a judgment result;

In an embodiment, the processor 702 is further configured to control the second device and the third device to perform transmission of a resource corresponding to the first capability.

In an embodiment, the processor 702 is further configured to control the second device and the third device to perform encrypted transmission of the resource corresponding to the first capability.

In an embodiment, the processor 702 is further configured to:

acquiring operation information of at least one device in the first network;

It should be noted that: the process of the processor 702 specifically executing the above operations is detailed in the method embodiment, and is not described here again.

Of course, in practice, the various components in the electronic device 700 are coupled together by the bus system 704. It is understood that the bus system 704 is used to enable communications among the components. The bus system 704 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are designated as bus system 704 in FIG. 7.

The memory 703 in the embodiments of the present application is used to store various types of data to support the operation of the electronic device 700. Examples of such data include: any computer program for operating on the electronic device 700.

The methods disclosed in the embodiments of the present application may be implemented in the processor 702 or implemented by the processor 702. The processor 702 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 702. The Processor 702 may be a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 702 may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 703, and the processor 702 reads the information in the memory 703 and performs the steps of the foregoing method in combination with hardware thereof.

In an exemplary embodiment, the electronic Device 700 may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, programmable Logic Devices (PLDs), complex Programmable Logic Devices (CPLDs), field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, micro Controllers (MCUs), microprocessors (microprocessors), or other electronic components for performing the foregoing methods.

It is to be understood that the memory 703 of the present embodiment may be a volatile memory or a nonvolatile memory, and may also include both volatile and nonvolatile memories. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), synchronous Static Random Access Memory (SSRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), enhanced Synchronous Dynamic Random Access Memory (ESDRAM), enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), synchronous Dynamic Random Access Memory (SLDRAM), direct Memory (DRmb Access), and Random Access Memory (DRAM). The memories described in the embodiments of the present application are intended to comprise, without being limited to, these and any other suitable types of memory.

In an exemplary embodiment, the present application further provides a storage medium, specifically a computer storage medium, for example, a memory 703 storing a computer program, which can be executed by a processor 702 of the electronic device 700 to perform the steps of the foregoing method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.

It should be noted that: "first," "second," and the like are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.

The technical means described in the embodiments of the present application may be arbitrarily combined without conflict.

The above description is only a preferred embodiment of the present application, and is not intended to limit the scope of the present application.

Claims

1. A device management method applied to a first control point includes:

acquiring a first request; the first request carries at least a first signature; the first request is for requesting management of a device in a first network; the first network includes a plurality of devices; the plurality of devices can communicate based on a universal plug and play (UPnP) protocol; the first control point is a device of the plurality of devices whose computing power meets a first condition;

and executing the management operation corresponding to the first request under the condition that the validity of the first verification result representing the first signature passes verification.

2. The method of claim 1, wherein the first request is sent by a first terminal; the first signature is indicative of an identity of an operator of the first terminal; the calling the first node of the second network to verify the validity of the first signature according to a preset endorsement policy comprises the following steps:

3. The method of claim 2,

4. The method of claim 2, further comprising:

under the condition that the validity of the first signature represented by the first verification result is not verified, sending first information to the first terminal; the first information is used for prompting an operator of the first terminal to register in the second network and/or obtaining the authority for executing the management operation corresponding to the first request.

5. The method according to any of claims 1 to 4, wherein the first request is specifically for requesting control of a first device to access the first network; the executing the management operation corresponding to the first request comprises:

6. The method of claim 5, wherein the invoking the second node of the second network to verify the identity of the first device comprises:

7. The method of claim 6, further comprising:

8. The method of claim 7, wherein the controlling the first device to register with the second network comprises:

9. The method according to any of claims 1 to 4, wherein the first request is specifically for requesting control of the second device to use the first capability; the second device does not have the first capability; the executing the management operation corresponding to the first request comprises:

10. The method of claim 9, wherein the controlling the second device to use the first capability comprises:

11. The method of claim 10, wherein the controlling the second device and the third device to perform the transmission of the resource corresponding to the first capability comprises:

12. The method according to any one of claims 1 to 4, further comprising:

acquiring operation information of at least one device in the first network;

and storing the acquired running information to a second server based on an interplanetary file system IPFS protocol.

13. An apparatus management device, provided at a first control point, comprising:

an acquisition unit configured to acquire a first request; the first request carries at least a first signature; the first request is for requesting management of a device in a first network; the first network includes a plurality of devices; the plurality of devices can communicate based on a UPnP protocol; the first control point is a device of the plurality of devices, the computing capacity of which meets a first condition;

14. An electronic device, comprising: a processor and a memory for storing a computer program operable on the processor, wherein the processor is operable to perform the steps of the method of any of claims 1 to 12 when the computer program is executed.

15. A storage medium on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 12.