CN116349270A

CN116349270A - Access authentication method, platform gateway and Ping Taiyun

Info

Publication number: CN116349270A
Application number: CN202080106625.XA
Authority: CN
Inventors: 董建利; 罗朝明; 茹昭
Original assignee: Guangdong Oppo Mobile Telecommunications Corp Ltd
Current assignee: Guangdong Oppo Mobile Telecommunications Corp Ltd
Priority date: 2020-11-16
Filing date: 2020-11-16
Publication date: 2023-06-27
Also published as: WO2022099703A1

Abstract

The application relates to an access authentication method, a platform gateway and a platform cloud. The access authentication method comprises the following steps: the platform gateway sends key parameters to the platform cloud, wherein the key parameters are used for generating a confirmation key and configuration authentication information in the platform cloud; the platform gateway receives the configuration authentication information from the platform cloud; and the platform gateway sends equipment authentication information to the platform cloud based on the configuration authentication information so as to carry out access authentication on equipment to be authenticated based on the confirmation key and the equipment authentication information in the platform cloud. According to the embodiment of the application, the information security in the equipment authentication process can be improved.

Description

Access authentication method, platform gateway and Ping Taiyun

Technical Field

The present application relates to the field of network technologies, and in particular, to an access authentication method, a platform gateway, and a platform cloud.

Background

With the development of bluetooth low energy, bluetooth Mesh (Mesh) networks have emerged. Bluetooth mesh networks are low energy bluetooth network topologies for establishing many-to-many device communications. Bluetooth mesh networks allow the creation of large networks based on a plurality of devices, which may contain tens, hundreds or even thousands of bluetooth mesh devices, between which information can be transferred to each other. In a bluetooth mesh network, a new device may be added to the bluetooth mesh network through a distribution network. In the network distribution process, the new equipment needs to be authenticated. And the equipment, the cloud and the gateway can perform information interaction according to a certain flow to finish authentication. How to guarantee the information security of the device authentication process is a problem to be considered.

Disclosure of Invention

The embodiment of the application provides an access authentication method, a platform gateway and a platform cloud, which can improve information security in the equipment authentication process.

The embodiment of the application provides an access authentication method, which comprises the following steps:

the platform gateway sends key parameters to the platform cloud, wherein the key parameters are used for generating a confirmation key and configuration authentication information in the platform cloud;

the platform gateway receives the configuration authentication information from the platform cloud;

and the platform gateway sends equipment authentication information to the platform cloud based on the configuration authentication information so as to carry out access authentication on equipment to be authenticated based on the confirmation key and the equipment authentication information in the platform cloud.

the first platform cloud generates a confirmation key and configuration authentication information based on the key parameter;

the first platform cloud sends the configuration authentication information to a platform gateway;

and the first platform cloud performs access authentication on the equipment to be authenticated based on the confirmation key and the equipment authentication information from the platform gateway.

the second platform cloud generates a confirmation key and configuration authentication information based on the key parameter;

The second platform cloud sends the configuration authentication information to the platform gateway through the first platform cloud;

and the second platform cloud performs access authentication on the equipment to be authenticated based on the confirmation key and the equipment authentication information.

The embodiment of the application provides a platform gateway, which comprises:

the sending unit is used for sending key parameters to the platform cloud, wherein the key parameters are used for generating a confirmation key and configuration authentication information in the platform cloud;

the receiving unit is used for receiving the configuration authentication information from the platform cloud;

the sending unit is further used for sending equipment authentication information to the platform cloud based on the configuration authentication information so as to perform access authentication on equipment to be authenticated based on the confirmation key and the equipment authentication information in the platform cloud.

The embodiment of the application provides a first platform cloud, which comprises:

a processing unit for generating a confirmation key and configuration authentication information based on the key parameter;

a sending unit, configured to send the configuration authentication information to a platform gateway;

and the authentication unit is used for carrying out access authentication on the equipment to be authenticated based on the confirmation key and the equipment authentication information from the platform gateway.

The embodiment of the application provides a second platform cloud, which comprises:

the sending unit is used for sending the configuration authentication information to the platform gateway through the first platform cloud;

and the authentication unit is used for carrying out access authentication on the equipment to be authenticated based on the confirmation key and the equipment authentication information.

The embodiment of the application provides a platform gateway, which comprises a processor and a memory. The memory is used for storing a computer program, and the processor is used for calling and running the computer program stored in the memory so that the platform gateway can execute the access authentication method executed by the platform gateway.

The embodiment of the application provides a platform cloud, which comprises a processor and a memory. The memory is used for storing a computer program, and the processor is used for calling and running the computer program stored in the memory so that the platform cloud executes the access authentication method executed by the first platform cloud or the second platform cloud.

The embodiment of the application provides a chip for realizing the access authentication method. Specifically, the chip includes: and a processor for calling and running the computer program from the memory, so that the device installed with the chip executes the access authentication method.

The embodiment of the application provides a computer readable storage medium for storing a computer program, which when executed by a device, causes the device to perform the above access authentication method.

Embodiments of the present application provide a computer program product including computer program instructions for causing a computer to perform the above-described access authentication method.

The embodiment of the application provides a computer program which, when run on a computer, causes the computer to execute the access authentication method.

According to the method and the device, the platform gateway sends the key parameters to the platform cloud, the confirmation key and the configuration authentication information can be generated in the platform cloud, and then the device to be authenticated is subjected to access authentication in the platform cloud, so that the information security in the device authentication process can be improved.

Drawings

Fig. 1 shows a block diagram of an exemplary bluetooth Mesh device cross-platform access authentication system.

Fig. 2 shows a flow chart of an exemplary access authentication method.

Fig. 3 shows a flow chart of an exemplary access authentication method.

Fig. 4 is a schematic flow chart of an access authentication method according to an embodiment of the present application.

Fig. 5 is a schematic flow chart diagram of an access authentication method according to another embodiment of the present application.

Fig. 6 is a schematic flow chart diagram of an access authentication method according to another embodiment of the present application.

Fig. 7 is a flowchart of example 1 of an access authentication method according to the present application.

Fig. 8 is a flowchart of example 2 of an access authentication method according to the present application.

Fig. 9 is a flowchart of example 3 of an access authentication method according to the present application.

Fig. 10 is a schematic block diagram of a platform gateway according to an embodiment of the present application.

Fig. 11 is a schematic block diagram of a first platform cloud according to an embodiment of the present application.

Fig. 12 is a schematic block diagram of a first platform cloud according to another embodiment of the present application.

Fig. 13 is a schematic block diagram of a second platform cloud according to an embodiment of the present application.

Fig. 14 is a schematic block diagram of a second platform cloud according to another embodiment of the present application.

Fig. 15 is a schematic block diagram of a communication device according to an embodiment of the present application.

Fig. 16 is a schematic block diagram of a chip according to an embodiment of the present application.

Fig. 17 is a schematic block diagram of a communication system according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.

It should be understood that the terms "system" and "network" are used interchangeably herein. The term "and/or" is herein merely an association relationship describing an associated object, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.

It should be understood that, in the embodiments of the present application, the "indication" may be a direct indication, an indirect indication, or an indication having an association relationship. For example, a indicates B, which may mean that a indicates B directly, e.g., B may be obtained by a; it may also indicate that a indicates B indirectly, e.g. a indicates C, B may be obtained by C; it may also be indicated that there is an association between a and B.

In the description of the embodiments of the present application, the term "corresponding" may indicate that there is a direct correspondence or an indirect correspondence between the two, or may indicate that there is an association between the two, or may indicate a relationship between the two and the indicated, configured, or the like.

In order to facilitate understanding of the technical solutions of the embodiments of the present application, the following description is given of related technologies of the embodiments of the present application, and the following related technologies may be optionally combined with the technical solutions of the embodiments of the present application as an alternative, which all belong to the protection scope of the embodiments of the present application.

Fig. 1 shows a block diagram of an exemplary bluetooth Mesh device cross-platform access authentication system, which may include: bluetooth Mesh device 12, first platform gateway 141, first platform cloud 142, and second platform cloud 16.

Bluetooth Mesh device 12 is a device that supports bluetooth technology and can access a bluetooth Mesh network. Bluetooth Mesh devices include various types of internet of things devices, such as: bulb, speaker, cell phone, etc., which are not limited in this embodiment.

The bluetooth Mesh device 12 may be configured to access the network by the first platform gateway 141, where the cloud server corresponding to the first platform gateway 141 is the first platform cloud 142. The first platform gateway 141 and the first platform cloud 142 are connected through a wired or wireless network. Optionally, the first platform gateway 141 receives data from the bluetooth Mesh device 12, performs calculation processing on the data, sends the data to the first platform cloud 142, and stores or further processes the data by the first platform cloud 142.

The bluetooth Mesh device 12 may be developed based on the second platform cloud 16, and authentication information of the bluetooth Mesh device 12 is stored in the second platform cloud 16. Alternatively, the bluetooth Mesh device 12 may be developed based on the first platform cloud 142, and the authentication information of the bluetooth Mesh device 12 is stored in the first platform cloud 142. In this case, the second platform cloud may not be required.

A communication link exists between the first platform cloud 142 and the second platform cloud 16. Optionally, the first platform cloud 142 sends information required by the bluetooth Mesh device 12 in an authentication procedure with the second platform cloud 16 to the second platform cloud 16; or, forwarding information required by the bluetooth Mesh device 12 in the authentication procedure with the second platform cloud 16 to the first platform gateway 141.

The first platform cloud 142 and the second platform cloud 16 are cloud computing resource pools in the cloud technology field, and multiple types of virtual resources are deployed in the resource pools for external clients to select for use. The cloud computing resource pool mainly comprises: computing devices (which are virtualized machines, including operating systems), storage devices, network devices. The cloud server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and can also be a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDNs), basic cloud computing services such as big data and artificial intelligent platforms and the like.

Fig. 2 shows a flow chart of an exemplary access authentication method. In the method, the device can access and authenticate across different platforms, and the method comprises the following steps:

step 21, the user activates the scan a-platform gateway using voice or APP.

In step 22, the e company device (e.g., a bluetooth Mesh device developed based on the B platform) broadcasts a bluetooth Mesh unassigned broadcast packet according to the specification. Wherein the broadcast packet contains a company identifier (Company Identifier, CID) of the B-stage.

Step 23, the a-platform gateway queries the device type. Specifically, after acquiring the non-network-distribution broadcast information broadcast by the E company equipment, the a platform gateway uploads the information to the a platform cloud to inquire the type of the equipment.

And 23.1, the platform cloud A judges whether the platform equipment is the platform equipment.

And 23.2, the platform information corresponding to the platform cloud query equipment A. After receiving the device information reported by the gateway of the platform A, the platform A judges that the E company device is not the device developed based on the platform A through CID, and other platforms are required to be authorized.

And 23.3, the platform information corresponding to the CID is obtained by the platform cloud A through the interconnection server.

Optionally, the platform information includes information such as a B-platform rights management Server (authserver).

And 23.4, the A platform cloud inquires the B platform cloud about the device type.

Step 23.5, the A platform cloud obtains the device type from the B platform cloud.

And step 24, forwarding the device type to the A-platform gateway by the A-platform cloud.

And 25, broadcasting equipment and equipment types to the user by the platform A gateway.

Step 26, user input: and connecting the devices.

Step 27, the a platform gateway and the E company device make a connection and invite procedure (Link & invite).

In step 27.1, the a-platform gateway sends a configuration start to the E-company device (Provisioning Start).

Step 27.2, the a-platform gateway sends the configuration side public key (Provisoning Public Key) to the E-company device. The configuration end may also be referred to as a configurator, a network distributor, etc.

In step 27.3, the e company device sends the device side public key to the a platform gateway (Device Public Key).

In step 27.4, the e company device and the a platform gateway perform elliptic curve arithmetic (Elliptic Curves Diffie-Hellman, ECDH) calculation to generate a validation key (ConfirmationKey).

And 27.5, reporting a confirmation key generated in the equipment authentication process to the A platform cloud by the A platform gateway.

And 27.6, the platform A cloud reports the confirmation key to the platform B cloud.

And 27.7, the A platform cloud acquires a configuration end confirmation value (provisioner confirmation) and a configuration end random number (provisioner random) required by authentication through the B platform cloud.

And 27.8, the A platform cloud forwards the configuration end confirmation value and the configuration end random number to the A platform gateway.

And step 27.9, the A platform gateway sends the configuration end confirmation value to E company equipment.

At step 27.10, the e company device returns a device side acknowledge value (device confirmation).

And step 27.11, the A platform gateway sends the configuration terminal random number to E company equipment.

And step 27.12, checking the configuration end confirmation value by the E company equipment.

And step 27.13, after the verification is passed, the E company equipment returns an equipment-side random number (device random).

And 27.14, reporting the equipment end confirmation value and the equipment end random number of the equipment to the A platform cloud by the A platform gateway.

And 27.15, the platform cloud A sends the equipment end confirmation value and the equipment end random number to the platform cloud B.

And step 27.16, the B platform cloud performs authentication verification.

And step 27.17, the B-platform cloud returns an authentication result and equipment information. Wherein the device information contains control functions and control instructions supported by the device.

Step 27.18, the a-platform cloud stores the device information.

And step 27.19, the A platform cloud forwards the authentication result to the A platform gateway. Configuration data distribution (Distribution of Provision Data) is performed between the a-plane gateway and the device.

And 28, broadcasting an authentication result to the user by the platform A gateway.

Optionally, in the above steps, an example of the method 1 for calculating the confirmation key (ConfirmationKey), the configuration end confirmation value (provisioner confirmation), and the device end confirmation value (device confirmation) is as follows:

ConfirmationProvisioner＝AES-CMAC _{ConfirmationKey} (RandomProvisioner||AuthValue)；

ConfirmationDevice＝AES-CMAC _{ConfirmationKey} (RandomDevice||AuthValue)；

ConfirmationKey＝k1(ECDHSecret,ConfirmationSalt,“prck”)；

ConfirmationSalt＝s1(ConfirmationInputs)；

ConfirmationInputs＝ProvisioningInvitePDUValue||ProvisioningCapabilitiesPDUValue||ProvisioningStartPDUValue||PublicKeyProvisioner||PublicKeyDevice；

ECDHSecret＝P-256(private key,peer public key)。

in the above calculation, AES-CMAC, k1, s1, P-256 are examples of algorithms. "|" indicates a connector. AuthValue represents authentication information of equipment in the current network distribution flow, and ConfirmationKey represents a confirmation key; the confirmationprovider represents a configuration end confirmation value, the random provider represents a configuration end random number, and the ConfirmationDevice represents a device end confirmation value; the random device represents a device-side random number; ECDHSecret represents a shared root key, confirmationSalt represents a validation salt value, and "prck" represents a string; provisioninginvite pduvalue represents a configuration invite protocol data unit value, provisioningcapability pduvalue represents a configuration start protocol data unit value, provisionstartpduvalue represents a configuration end public key, publicKeyProvisioner represents a device end public key; private key represents private keys of both parties, and peer public key represents public keys of both parties.

Because the authentication information of the E company equipment is stored in the B platform cloud, the A platform cloud forwards the confirmation key generated by the gateway to the B platform cloud, the B platform cloud completes the authentication operation of the equipment, and the A platform cloud forwards the configuration end confirmation value and the configuration end random number generated by the B platform cloud to the gateway. Referring to the calculation formula of the configuration end confirmation value confirmationprovider, since the confirmation key ConfirmationKey is stored at the gateway, under the condition that the configuration end confirmation value is received, the configuration end confirmation value can be decrypted, and the authentication information AuthValue of the device is deduced, so that the authentication information of the device is leaked.

For the problem of AuthValue leakage, algorithm enhancements may be made. For example, if the Algorithm field (Algorithm field) is btm_ecdh_p256_hmac_sha256_aes_ccm, the configuration-side confirm value may be a 256-bit value, and the device-side confirm value may be a 256-bit value. An example of calculation mode 2 is as follows:

ConfirmationProvisioner＝HMAC-SHA-256(ConfirmationKey,RandomProvisioner)；

ConfirmationDevice＝HMAC-SHA-256(ConfirmationKey,RandomDevice)；

ConfirmationKey＝k5(ECDHSecret||AuthValue,ConfirmationSalt256,“prck256”)；

ConfirmationSalt 256＝s2(ConfirmationInputs)；

ECDHSecret＝P-256(private key,peer public key)。

the algorithm used in the above calculation formula is changed to HMAC-SHA-256, k5, S2, the confirmation salt value becomes ConfirmationSalt256, and the string becomes "prck256". The risk of the AuthValue being reversely solved can be reduced by adopting the calculation formula. However, the interaction of the distribution network flow in the Mesh configuration file (Profile) adopting the enhancement algorithm only occurs between the gateway and the device, and cannot be directly deployed in the network architecture of the cross-platform device.

Fig. 3 shows a flow chart of an exemplary access authentication method. The method can be applied to a cross-platform access authentication system of the Bluetooth Mesh device as shown in fig. 1, and the method can comprise the following steps:

step 31, the user activates the scan a-platform gateway using voice or APP.

In step 32, the e company device (for example, a bluetooth Mesh device developed based on the B platform) broadcasts a bluetooth Mesh unassigned network broadcast packet according to the specification, where the broadcast packet carries a UUID, CID and random number. The broadcast packet contains CIDs of the B-platform cloud.

In each network distribution flow, the equipment generates a random number corresponding to the network distribution flow, and the random number is carried and sent by the broadcast packet.

And step 33, the A platform gateway queries the device type and carries the random number. And after the A-platform gateway acquires the non-network-distribution broadcast information broadcast by the equipment, uploading the information to the A-platform cloud, inquiring the type of the equipment, and uploading the random number to the A-platform cloud.

And 33.1, the platform cloud A judges whether the platform equipment is the platform equipment.

Step 33.2, the a-platform cloud queries the device corresponding platform information (CID).

After receiving the equipment information reported by the A platform gateway, the A platform cloud judges that the equipment is not equipment developed based on the A platform through CID, and other platforms are required to be authorized.

And 33.3, the platform A cloud acquires information of the platform B cloud corresponding to the CID through the interconnection server.

Optionally, the information of the B-platform cloud includes information such as a rights management server of the B-platform cloud.

In step 33.4, the a-platform cloud sends a message to the B-platform cloud inquiring about the device type, which may carry platform information, CID, universal unique identifier (Universally Unique Identifier, UUID), random number, etc.

In step 33.5, the b-stage cloud checks whether the random number was used by the device, computing static OOB information. The number of the random number records of the equipment end stored in the cloud can be determined by a user. And B, the platform cloud checks the validity of the random number and calculates the authentication information of the current distribution network.

In step 33.6, the a-platform cloud obtains the device type, device information, and static OOB information from the B-platform cloud.

In step 34, the a-platform cloud forwards the device type and the static OOB information to the a-platform gateway.

And 35, broadcasting equipment and equipment types to the user by the platform A gateway.

Step 36, user input: and connecting the devices.

In step 37, the a-platform gateway and the device perform the connection and invitation procedures.

In step 37.1, the a-platform gateway sends a configuration start to the device.

Step 37.2, the a-platform gateway sends the configuration side public key to the device.

Step 37.3, the device sends the device-side public key to the a-platform gateway.

In step 37.4, the device and the a-platform gateway perform ECDH calculations.

And step 37.5, the A platform gateway sends the configuration end confirmation value to the device. Since the a-platform gateway obtains the authentication information, the configuration end confirmation value can be calculated and generated by the second platform.

And step 37.6, the device sends a device-side acknowledgement value to the A-platform gateway.

And step 37.7, the A platform gateway sends the configuration terminal random number to the equipment. The configuration side acknowledgement value may be generated by the a-plane gateway.

And step 37.8, the device checks the configuration end confirmation value.

And step 37.9, checking is passed, and the equipment returns the equipment-side random number to the A-platform gateway.

And step 37.10, the A platform gateway performs authentication verification.

And step 37.11, the A platform gateway returns an authentication result.

In step 37.12, the a-platform cloud stores the device information. Configuration data distribution (Distribution of Provision Data) is performed between the a-plane gateway and the device.

And 38, broadcasting an authentication result to the user by the A platform gateway.

In this manner, the device may circumvent the problem of AuthValue leakage by generating a Random number (Random) each time, and regenerating OOB each time a network allocation cycle. However, since the authentication results of the devices are determined by the gateway, when the gateway and the a-platform cloud do not belong to a company, the gateway may determine that the authentication of the "illegal device" is passed, so that the "illegal device" is not authenticated by the B-platform cloud and is also accessed into the a-platform cloud.

Fig. 4 is a schematic flow chart diagram of an access authentication method 200 according to an embodiment of the present application. The method may alternatively be applied to the system shown in fig. 1, but is not limited thereto. The method includes at least some of the following.

And S210, the platform gateway sends key parameters to the platform cloud, wherein the key parameters are used for generating a confirmation key and configuration authentication information in the platform cloud.

S220, the platform gateway receives the configuration authentication information from the platform cloud.

And S230, the platform gateway sends equipment authentication information to the platform cloud based on the configuration authentication information so as to perform access authentication on equipment to be authenticated based on the confirmation key and the equipment authentication information in the platform cloud.

For example, a device to be authenticated may be developed based on a certain platform. Authentication information, such as AuthValue, for the device may be stored in the platform. The AuthValue corresponding to the device can be found by the UUID of the device. After the platform gateway and the device to be authenticated complete the connection and Invitation process (Link & invite) and the exchange public key process (Exchange public key), the gateway may report the key parameters generated in the device authentication to the platform cloud.

Optionally, the key parameter includes a shared root key and/or a validation salt value.

Illustratively, the platform gateway and the device to be authenticated may support a FIPS P-256 elliptic curve algorithm to generate the shared root key ECDHsecret by performing ECDH calculations. For example, the calculation formula of the shared root key is: ecdhsecret=p-256 (private key, peer public key). The private key is the private key of each of the two parties, and the peer public key is the public key of each of the two parties.

Illustratively, the platform gateway may obtain a validation input value (ConfirmationInputs); from the confirmation input value, a confirmation salt value, for example, a ConfirmationSalt in the calculation mode 1 or a ConfirmationSalt256 in the calculation mode 2 described above, can be generated.

Alternatively, the platform gateway may send the key parameters and UUID to the platform cloud. The platform cloud obtains an AuthValue (authorization value) corresponding to the device to be authenticated based on the UUID. The validation key may then be calculated based on the key parameter and AuthValue.

For example, referring to calculation mode 2 described above, the platform cloud can calculate the validation key confirmationkey=k5 (ecdhsecret|| AuthValue, confirmationSalt256, "prck 256") based on the found AuthValue, with the received key parameters ECDHSecret and ConfirmationSalt 256. Where prck256 may be a constant.

For another example, the platform cloud may generate a configuration-side random number random provider, and based on the confirmation key ConfirmationKey and the configuration-side random number random provider, see calculation mode 2, may calculate a configuration-side confirmation value confirmationprovider=hmac-SHA-256 (ConfirmationKey, randomProvisioner).

Optionally, the device authentication information includes: a device-side acknowledgement value and/or a device-side random number.

Optionally, the configuration authentication information includes a configuration side acknowledgement value and/or a configuration side random number.

Optionally, in one manner, the platform gateway receives the configuration authentication information from the platform cloud, including: the platform gateway receives the configuration end confirmation value and the configuration end random number from the platform cloud. In this manner, the gateway may receive both the configuration side acknowledgement value and the configuration side random number. For example, the gateway receives configuration authentication information including a configuration side acknowledgement value and a configuration side random number.

For example, if the platform gateway receives configuration authentication information including a configuration side acknowledgement value and a configuration side random number at the same time, the configuration side acknowledgement value may be transmitted to the device to be authenticated. And after the equipment verification configuration end confirmation value passes, returning the equipment end confirmation value to the platform gateway. Then, the platform gateway receives the device-side confirmation value from the device to be authenticated and then sends the configuration-side random number to the device to be authenticated. After the confirmation value is authenticated on the device, the device to be authenticated can send the device-side random number to the platform gateway. The platform gateway may then send device authentication information including the device-side confirmation value and the device-side random number to the platform cloud. The platform cloud may verify the device-side validation value. Through the bidirectional authentication of the equipment and the platform cloud, illegal equipment and illegal gateways can be prevented from passing the authentication, and the security in the authentication process is improved.

For example, the manner in which the device checks the configuration end acknowledgement value may include:

the equipment to be authenticated calculates a configuration end confirmation value based on the confirmation key and the configuration end random number; comparing the calculated configuration end confirmation value with the received configuration end confirmation value, and authenticating to pass under the condition that the calculated configuration end confirmation value is the same as the received configuration end confirmation value, namely, checking that the configuration end confirmation value passes by the equipment.

Illustratively, the method for checking the device-side acknowledgement value by the platform cloud may include:

the platform cloud calculates a device-side confirmation value based on the confirmation key and the device-side random number; comparing the calculated equipment end confirmation value with the received equipment end confirmation value, and if the calculated equipment end confirmation value is the same as the received equipment end confirmation value, passing the authentication, namely, passing the platform cloud verification equipment end confirmation value.

Optionally, in another manner, the platform gateway receives the configuration authentication information from the platform cloud, including:

the platform gateway receives the configuration end confirmation value from the platform cloud;

after the platform gateway sends the device-side confirmation value to the platform cloud, the platform gateway receives the configuration-side random number from the platform cloud.

In this manner, the platform gateway may receive configuration authentication information including the configuration side acknowledgement value and configuration authentication information including the configuration side random number, respectively. For example, the platform gateway receives configuration authentication information including a configuration end confirmation value from the platform cloud, sends the configuration end confirmation value to the device, and returns the device end confirmation value to the platform gateway after the device verifies that the configuration end confirmation value passes. After obtaining the device-side confirmation value from the device and sending the device-side confirmation value to the platform cloud, the platform gateway can receive configuration authentication information comprising the configuration-side random number from the platform cloud. The method can ensure that the gateway does not obtain the configuration terminal confirmation value and the configuration terminal random number at the same time, and can avoid that the gateway passes the authentication by using the self-generated equipment terminal confirmation value and the equipment terminal random number after the configuration terminal confirmation value and the configuration terminal random number are utilized to break the confirmation key, thereby better ensuring the information security in the authentication process.

Optionally, the method further comprises:

the platform gateway sends the configuration end confirmation value to the equipment to be authenticated;

receiving a device-side confirmation value from the device to be authenticated;

and the platform gateway sends the equipment end confirmation value to the platform cloud.

For example, if the platform gateway receives the configuration end confirmation value first, the configuration end confirmation value may be sent to the device to be authenticated, the device end confirmation value from the device to be authenticated is received, and then the device end confirmation value is sent to the platform cloud. Then, the platform gateway receives the configuration terminal random number from the platform cloud.

Optionally, the method further comprises:

the platform gateway sends the configuration terminal random number to the equipment to be authenticated so as to authenticate the configuration terminal confirmation value based on the configuration terminal random number in the equipment to be authenticated;

the platform gateway receives the equipment terminal random number from the equipment to be authenticated;

the platform gateway sends the equipment-side random number to the platform cloud.

Illustratively, after receiving the configuration terminal random number from the platform cloud, the platform gateway may send the configuration terminal random number to the device to be authenticated. After the confirmation value is authenticated on the device, the device to be authenticated can send the device-side random number to the platform gateway. After receiving the device-side random number, the platform gateway can send the device-side random number to the platform cloud. In this example, the platform gateway sends device authentication information including the device-side acknowledgement value and device authentication information including the device-side random number, respectively, to the platform cloud. The platform cloud may verify the device-side validation value. Through the bidirectional authentication of the equipment and the platform cloud, illegal equipment and illegal gateways can be prevented from passing the authentication, and the security in the authentication process is improved.

Optionally, the platform cloud includes a first platform cloud and a second platform cloud; the platform gateway sends key parameters to the platform cloud, including:

the platform gateway sends the key parameter to the second platform cloud through the first platform cloud.

Illustratively, if the AuthValue of the device to be authenticated is maintained in a second platform cloud, such as a B-platform cloud. And the device interacts with the second platform cloud through the first platform cloud, for example, the a platform cloud, the platform gateway may send the key parameter to the first platform cloud, and then the first platform cloud sends the key parameter to the second platform cloud.

Optionally, in one manner, the platform gateway receives the configuration authentication information from the platform cloud, including: the platform gateway receives a configuration end confirmation value and a configuration end random number from the first platform cloud, the configuration end confirmation value and the configuration end random number being received by the first platform cloud from the second platform cloud. In this manner, the second platform cloud may send configuration authentication information including the configuration-side confirmation value and the configuration-side random number to the first platform cloud. The first platform cloud sends configuration authentication information comprising a configuration end confirmation value and a configuration end random number to the platform gateway. The platform gateway may receive the configuration side acknowledgement value and the configuration side random number simultaneously.

the platform gateway receives a configuration end confirmation value from the first platform cloud;

the platform gateway receives a configuration terminal random number from the first platform cloud after sending a device terminal confirmation value to the first platform cloud;

wherein the configuration side confirmation value and the configuration side random number are received by the first platform cloud from the second platform cloud.

In this manner, the second platform cloud may send configuration authentication information including the configuration-side confirmation value and the configuration-side random number to the first platform cloud. The first platform cloud may first send configuration authentication information including a configuration end confirmation value to the platform gateway. After obtaining the device-end confirmation value from the device to be authenticated and sending the device-end confirmation value to the first platform cloud, the platform gateway receives configuration authentication information comprising the configuration-end random number from the first platform cloud. In this manner, the platform gateway may receive configuration authentication information including the configuration side acknowledgement value and configuration authentication information including the configuration side random number, respectively.

Fig. 5 is a schematic flow chart diagram of an access authentication method 300 according to another embodiment of the present application. The method may alternatively be applied to the system shown in fig. 1, but is not limited thereto. The method includes at least some of the following.

S310, the first platform cloud generates a confirmation key and configuration authentication information based on the key parameter;

s320, the first platform cloud sends the configuration authentication information to a platform gateway;

s330, the first platform cloud performs access authentication on the equipment to be authenticated based on the confirmation key and the equipment authentication information from the platform gateway.

Optionally, the method further comprises: the first platform cloud receives key parameters from the platform gateway.

Optionally, the method further comprises: the first platform cloud receives device authentication information from the platform gateway, wherein the device authentication information is acquired from the device to be authenticated by the platform gateway through the configuration authentication information.

Optionally, the sending, by the first platform cloud, the configuration authentication information to the platform gateway includes:

the first platform cloud sends the configuration end confirmation value and the configuration end random number to the platform gateway.

The first platform cloud sends the configuration end confirmation value to the platform gateway;

and after receiving the confirmation value of the equipment end, the first platform cloud sends the configuration end random number to the platform gateway.

Optionally, the first platform cloud performs access authentication on the device to be authenticated based on the confirmation key and the device authentication information from the platform gateway, including: and under the condition that the equipment authentication information and the configuration authentication information are different, the first platform cloud performs access authentication on the equipment to be authenticated based on the confirmation key and the equipment authentication information.

Optionally, the case where the device authentication information and the configuration authentication information are different includes at least one of:

the equipment end confirmation value and the configuration end confirmation value are different;

the random numbers at the equipment end and the random numbers at the configuration end are different.

Optionally, the first platform cloud performs access authentication on the device to be authenticated based on the confirmation key and the device authentication information, including:

the first platform cloud calculates a device-side confirmation value based on the confirmation key and the device-side random number;

the first platform cloud compares the calculated equipment end confirmation value with the received equipment end confirmation value, and the authentication is passed under the condition that the calculated equipment end confirmation value is the same as the received equipment end confirmation value.

Specific examples of the first platform cloud execution method 300 in this embodiment may be referred to the related descriptions of the method 200 regarding the first platform cloud, such as the a-platform cloud, and are not described herein for brevity.

Fig. 6 is a schematic flow chart diagram of an access authentication method 400 according to another embodiment of the present application. The method may alternatively be applied to the system shown in fig. 1, but is not limited thereto. The method includes at least some of the following.

S410, the second platform cloud generates a confirmation key and configuration authentication information based on the key parameter;

s420, the second platform cloud sends the configuration authentication information to the platform gateway through the first platform cloud;

and S430, the second platform cloud performs access authentication on the equipment to be authenticated based on the confirmation key and the equipment authentication information.

Optionally, the method further comprises: the second platform cloud receives the key parameter from the first platform cloud, the key parameter being obtained by the first platform cloud from a platform gateway.

Optionally, the method further comprises: the second platform cloud receives the device authentication information from the first platform cloud, the device authentication information is obtained by the second platform cloud from the platform gateway through the first platform cloud, and the device authentication information is obtained by the platform gateway from the device to be authenticated by using the configuration authentication information.

Optionally, the second platform cloud sends the configuration authentication information to the platform gateway through the first platform cloud, including: the second platform cloud sends the configuration end confirmation value and the configuration end random number to the first platform cloud, and the first platform cloud sends the configuration end confirmation value and the configuration end random number to the platform gateway.

Optionally, the second platform cloud sends the configuration authentication information to the platform gateway through the first platform cloud, including: the second platform cloud sends the configuration end confirmation value and the configuration end random number to the first platform cloud, the first platform cloud sends the configuration end confirmation value to the platform gateway, and the first platform cloud sends the configuration end random number to the platform gateway after receiving the equipment end confirmation value.

Optionally, the second platform cloud performs access authentication on the device to be authenticated based on the confirmation key and the device authentication information, including: and under the condition that the equipment authentication information and the configuration authentication information are different, the second platform cloud performs access authentication on equipment to be authenticated based on the confirmation key and the equipment authentication information.

Optionally, the second platform cloud performs access authentication on the device to be authenticated based on the confirmation key and the device authentication information, including:

the second platform cloud calculates a device-side confirmation value based on the confirmation key and the device-side random number;

the second platform cloud compares the calculated equipment end confirmation value with the received equipment end confirmation value, and the authentication is passed under the condition that the calculated equipment end confirmation value is the same as the received equipment end confirmation value.

Specific examples of the second platform cloud execution method 400 in this embodiment may be referred to the relevant descriptions of the second platform cloud, such as the B-platform cloud, in the

above methods

200 and 300, and are not described herein for brevity.

The following are several specific examples of embodiments of the present application.

Example 1:

in this example, the authentication and authorization manner of the device to be authenticated, such as the bluetooth Mesh device, may employ a static OOB manner (OOB information is constant) specified in the bluetooth Mesh protocol.

The scheme of the example can be suitable for cross-platform access authentication, realizes bidirectional authentication of equipment and a platform, and can prevent problems caused by illegal equipment and illegal gateways.

Taking to-be-authenticated equipment as B company equipment, taking a platform gateway as an A platform gateway, taking a first platform cloud as an A platform cloud and a second platform cloud as a B platform cloud as an example, as shown in fig. 7, an authentication flow of the example mainly comprises the following steps:

step 41, the user activates the scan a-platform gateway using voice or APP.

In step 42, the device (e.g. bluetooth Mesh device developed based on B-platform) broadcasts a bluetooth Mesh unassigned broadcast packet according to the specification, where the broadcast packet contains the CID of the B-platform and the UUID of the device.

And 43, after acquiring the non-network-allocated broadcast information broadcast by the equipment, the A platform gateway uploads the information (such as CID and UUID) to the A platform cloud to inquire the type of the equipment.

After receiving the equipment information reported by the gateway, the platform A cloud judges that the equipment is not equipment developed based on the platform A through CID, and then obtains the equipment type through the platform B cloud.

Specifically, in step 43.1, the a-platform cloud sends CID and UUID to the B-platform cloud to query the device type. And step 43.2, the B platform cloud returns the device type to the A platform cloud.

And step 44, the A platform cloud sends the device type to the A platform gateway.

And 45, broadcasting equipment and equipment types to the user by the platform A gateway.

Step 46, user input: and connecting the devices.

In step 47, the A-platform gateway and device conduct the connection, invitation and exchange public key flows (Link & solicitation & Exchange public key).

In step 47.1, the a-platform gateway sends a configuration start to the device.

Step 47.2, the a-platform gateway sends the configuration side public key to the device.

Step 47.3, the device sends the device-side public key to the a-platform gateway.

In step 47.4, the device and the a-platform gateway perform ECDH calculations.

After the gateway and the device complete Link & solicitation & Exchange public key, the gateway reports key parameters generated in the device authentication, such as ECDHSecret and ConfirmationSalt256, to the a-platform cloud, step 47.5.

And step 47.6, reporting the key parameters to the B platform cloud by the A platform cloud.

In step 47.7, the b-stage cloud calculates a generated Confirmation Key (Confirmation Key), generates a configuration side random number (provisioner random), and calculates a generated configuration side Confirmation value (provisioner Confirmation) based on the information.

In step 47.8, the a-platform cloud obtains the configuration end confirmation value (provisioner confirmation) and the configuration end random number (provisioner random) required by authentication through the B-platform cloud. The method comprises the steps that a platform cloud B sends authentication information comprising a configuration end confirmation value and a configuration end random number to a platform cloud A.

And step 47.9, the A platform cloud sends authentication information comprising the configuration end confirmation value and the configuration end random number to the A platform gateway.

In step 47.10, the a-plane gateway sends the configuration end acknowledgement value to the device.

In step 47.11, the device returns a device-side acknowledgement value to the a-plane gateway (device confirmation).

In step 47.12, the gateway sends the configuration side random number (provisioner random) to the device.

In step 47.13, the device checks the configuration end acknowledgement value (check confirmation).

And step 47.14, after the verification is passed, the device returns a device-side random number (device random) to the A-platform gateway.

And 47.15, the gateway reports the equipment end confirmation value of the equipment and the equipment end random number to the A platform cloud. For example, the gateway transmits device authentication information including a device-side acknowledgement value and a device-side random number to the a-platform cloud.

And step 47.16, the A platform cloud sends the equipment end confirmation value and the equipment end random number to the B platform cloud. For example, the a-platform cloud transmits device authentication information including a device-side confirmation value and a device-side random number to the B-platform cloud.

And step 47.17, the B platform cloud performs authentication verification.

Specifically, the B-platform cloud may determine whether the device-side acknowledgement value is the same as the configuration-side acknowledgement value, whether the device-side random number is the same as the configuration-side random number, and check the device-side acknowledgement value (check confirmation). For example, if the device-side confirmation value is different from the configuration-side confirmation value and the device-side random number is different from the configuration-side random number, the verification of the device-side confirmation value is continued.

Step 47.18, the b-platform cloud returns the authentication result to the a-platform cloud, which may include device information.

Step 47.19, the a-platform cloud stores the device information.

And step 47.20, the platform A cloud returns an authentication result to the platform A gateway.

And (5) performing configuration data distribution flow (Distribution of Provision Data) between the A-platform gateway and the equipment.

And 48, broadcasting an authentication result to the user by the platform A gateway.

In the example, the B-platform cloud can calculate the Confirmation Key and generate provisioner Confirmation, so that the purpose of mutual authentication between the device and the B-platform cloud is achieved, authValue leakage is effectively prevented, and the device can be deployed for cross-platform device access authentication standards.

Example 2:

The scheme of the example can be applied to a cross-platform access authentication implementation scheme to realize the bidirectional authentication of equipment and a platform and prevent the problems caused by illegal equipment and illegal gateways.

The device to be authenticated is taken as an A company device, the platform gateway is taken as an A platform gateway, the platform cloud is taken as an A platform cloud, and as shown in fig. 8, the authentication flow of the example mainly comprises the following steps:

Step 51, the user activates the scan a-platform gateway using voice or APP.

In step 52, the a company device (for example, a bluetooth Mesh device developed based on the a platform) broadcasts, according to the specification, a bluetooth Mesh unassigned network broadcast packet, where the broadcast packet includes the CID of the a platform and the UUID of the device.

And 53, after acquiring the non-network-allocated broadcast information broadcast by the equipment, the A platform gateway uploads the information (such as CID and UUID) to the A platform cloud to inquire the type of the equipment.

In step 54, the a-platform cloud sends the device type to the a-platform gateway.

And 55, broadcasting equipment and equipment types to the user by the platform A gateway.

Step 56, user input: and connecting the devices.

In step 57, the A-platform gateway and device conduct the connection, invitation and exchange public key flows (Link & solicitation & Exchange public key).

In step 57.1, the a-platform gateway sends a configuration start to the device.

Step 57.2, the a-platform gateway sends the configuration side public key to the device.

Step 57.3, the device sends the device-side public key to the a-platform gateway.

In step 57.4, the device and the a-platform gateway perform ECDH calculations.

After the gateway and device complete the connection, invitation and exchange public key flows, the gateway reports key parameters generated in device authentication, such as ECDHSecret and ConfirmationSalt256, to the a-platform cloud, step 57.5.

And 57.6, the A platform cloud calculates and generates a confirmation key based on the information, generates a configuration terminal random number and calculates and generates a configuration terminal confirmation value.

And 57.7, the A platform cloud transmits authentication information comprising the configuration end confirmation value and the configuration end random number to the A platform gateway.

In step 57.8, the a-plane gateway sends the configuration end acknowledgement value to the device.

And step 57.9, the device returns a device-side acknowledgement value to the A-platform gateway.

In step 57.10, the gateway sends the configuration side random number to the device.

In step 57.11, the device checks the configuration end acknowledgement value.

And 57.12, after the verification is passed, the equipment returns the equipment-side random number to the A-platform gateway.

And 57.13, the gateway reports the equipment end confirmation value of the equipment and the equipment end random number to the A platform cloud. For example, the gateway transmits device authentication information including a device-side acknowledgement value and a device-side random number to the a-platform cloud.

And 57.14, the platform A cloud performs authentication verification.

Specifically, the a-platform cloud may determine whether the device-side acknowledgement value is the same as the configuration-side acknowledgement value, whether the device-side random number is the same as the configuration-side random number, and check the device-side acknowledgement value (check confirmation). For example, if the device-side confirmation value is different from the configuration-side confirmation value and the device-side random number is different from the configuration-side random number, the verification of the device-side confirmation value is continued.

In step 57.15, the a-platform cloud stores the device information.

And step 57.16, the platform A cloud returns an authentication result to the platform A gateway.

And 58, broadcasting an authentication result to the user by the platform A gateway.

In this example, although the device, gateway and cloud all belong to one family, the cloud still authenticates the device, so that the cloud is prevented from directly issuing the AuthValue to the gateway, and the risk of leakage of the AuthValue with low probability is also prevented.

Example 3:

Taking to-be-authenticated equipment as B company equipment, taking a platform gateway as an A platform gateway, taking a first platform cloud as an A platform cloud and a second platform cloud as a B platform cloud as an example, as shown in fig. 9, an authentication flow of the example mainly comprises the following steps:

step 61, the user activates the scan a-platform gateway using voice or APP.

In step 62, the device (for example, a bluetooth Mesh device developed based on the B-platform) broadcasts, according to the specification, a bluetooth Mesh unassigned broadcast packet, where the broadcast packet includes the CID of the B-platform and the UUID of the device.

And 63, after the A platform gateway acquires the non-network-allocated broadcast information broadcast by the equipment, uploading the information (such as CID and UUID) to the A platform cloud, and inquiring the type of the equipment.

Specifically, in step 63.1, the a-platform cloud sends CID and UUID to the B-platform cloud to query the device type. And step 63.2, the B platform cloud returns the equipment type to the A platform cloud.

In step 64, the a-platform cloud sends the device type to the a-platform gateway.

And step 65, the platform A gateway broadcasts equipment and equipment types to the user.

Step 66, user input: and connecting the devices.

Step 67, the a-platform gateway and device perform connection, invitation, and exchange public key flows.

At step 67.1, the a-platform gateway sends a configuration start to the device.

Step 67.2, the a-platform gateway sends the configuration side public key to the device.

Step 67.3, the device sends the device-side public key to the a-platform gateway.

In step 67.4, the device and the a-platform gateway perform ECDH calculation.

After the gateway and the device complete the connection, invitation and exchange public key procedures, the gateway reports key parameters generated in the device authentication, such as ECDHSecret and ConfirmationSalt256, to the a-platform cloud, step 67.5.

And 67.6, reporting the key parameters to the B platform cloud by the A platform cloud.

In step 67.7, the b-stage cloud calculates a generated Confirmation Key (Confirmation Key) based on the information, generates a configuration side random number (provisioner random), and calculates a generated configuration side Confirmation value (provisioner Confirmation).

And 67.8, the A platform cloud obtains a configuration end confirmation value (provisioner confirmation) and a configuration end random number (provisioner random) required by authentication through the B platform cloud. The method comprises the steps that a platform cloud B sends authentication information comprising a configuration end confirmation value and a configuration end random number to a platform cloud A.

And 67.9, the platform A cloud transmits authentication information comprising the configuration end confirmation value to the platform A gateway.

And 67.10, the A platform gateway sends the configuration end confirmation value to the equipment.

In step 67.11, the device returns a device-side acknowledgement value to the a-plane gateway. For example, the gateway sends device authentication information including a device-side acknowledgement value to the a-platform cloud.

And 67.12, the gateway reports the equipment end confirmation value to the A platform cloud.

And 67.13, the platform A cloud transmits the configuration terminal random number to the platform A gateway.

In step 67.14, the gateway sends the configuration side random number to the device.

And 67.15, the device checks the configuration end confirmation value.

And 67.16, after the verification is passed, the equipment returns the equipment-side random number to the A-platform gateway.

And 67.17, the gateway reports the equipment-side random number to the A platform cloud. For example, the gateway sends device authentication information including a device-side random number to the a-platform cloud.

And 67.18, the A platform cloud sends the equipment end confirmation value and the equipment end random number to the B platform cloud. For example, the a-platform cloud transmits device authentication information including a device-side confirmation value and a device-side random number to the B-platform cloud.

And 67.19, the B platform cloud performs authentication verification.

And 67.20, the B platform cloud returns an authentication result to the A platform cloud, wherein the authentication result can comprise equipment information.

Step 67.21, the a-platform cloud stores the device information.

And 67.22, the platform A cloud returns an authentication result to the platform A gateway.

And carrying out a configuration data distribution flow between the A-platform gateway and the equipment.

And 68, broadcasting an authentication result to the user by the platform A gateway.

The main difference between example 3 and example 1 is the exchange order of random numbers (random) and acknowledgement values (acknowledgement). Example 3 may enable the gateway to not take the configuration side acknowledgement value and the configuration side random number at the same time, further prevent the gateway from cracking the acknowledgement key ConfirmationKey, and avoid the possibility that the gateway uses the ConfirmationKey to regenerate the device side random number and the device side acknowledgement value to pass authentication.

In addition, in the scenario of one platform cloud in example 2, the exchange order of the random number and the acknowledgement value may also be changed in the manner of example 3, which is not described herein.

Fig. 10 is a schematic block diagram of a platform gateway 20 according to an embodiment of the present application. The platform gateway 20 may include:

a sending unit 201, configured to send a key parameter to a platform cloud, where the key parameter is used to generate a confirmation key and configuration authentication information in the platform cloud;

A receiving unit 202, configured to receive the configuration authentication information from the platform cloud;

the sending unit 201 is further configured to send device authentication information to the platform cloud based on the configuration authentication information, so as to perform access authentication on the device to be authenticated based on the confirmation key and the device authentication information in the platform cloud.

Optionally, the receiving unit is further configured to receive the configuration-side acknowledgement value and the configuration-side random number from the platform cloud.

Optionally, the receiving unit is further configured to receive the configuration end acknowledgement value from the platform cloud; and after the device-side confirmation value is sent to the platform cloud, the configuration-side random number from the platform cloud is received.

Optionally, the sending unit is further configured to send the configuration end acknowledgement value to the device to be authenticated;

the receiving unit is also used for receiving the equipment end confirmation value from the equipment to be authenticated;

the sending unit is further configured to send the device-side acknowledgement value to the platform cloud.

Optionally, the receiving unit is further configured to receive a device-side random number from the device to be authenticated;

the sending unit is also used for sending the equipment-side random number to the platform cloud.

Optionally, the platform cloud includes a first platform cloud and a second platform cloud; the sending unit is further configured to send the key parameter to the second platform cloud through the first platform cloud.

Optionally, the receiving unit is further configured to receive a configuration end confirmation value and a configuration end random number from the first platform cloud, where the configuration end confirmation value and the configuration end random number are received by the first platform cloud from the second platform cloud.

Optionally, the receiving unit is further configured to receive a configuration end acknowledgement value from the first platform cloud; after the equipment end confirmation value is sent to the first platform cloud, receiving a configuration end random number from the first platform cloud;

The platform gateway 20 of the embodiment of the present application can implement the corresponding functions of the platform gateway in the foregoing embodiment of the method 200. The flow, function, implementation and beneficial effects corresponding to each module (sub-module, unit or assembly, etc.) in the platform gateway 20 can be referred to the corresponding description in the above method embodiments, and will not be repeated here. It should be noted that, the functions described in the respective modules (sub-modules, units, or components, etc.) in the platform gateway 20 of the application embodiment may be implemented by different modules (sub-modules, units, or components, etc.), or may be implemented by the same module (sub-module, unit, component, etc.).

Fig. 11 is a schematic block diagram of a first platform cloud 30 according to an embodiment of the present application. The first platform cloud 30 may include:

a processing unit 301 configured to generate a confirmation key and configuration authentication information based on the key parameter;

a sending unit 302, configured to send the configuration authentication information to the platform gateway;

an authentication unit 303, configured to perform access authentication on the device to be authenticated based on the confirmation key and the device authentication information from the platform gateway.

Optionally, as shown in fig. 12, the first platform cloud further includes: a first receiving unit 304, configured to receive the key parameter from the platform gateway.

Optionally, the first platform cloud further includes: a second receiving unit 305, configured to receive device authentication information from the platform gateway, where the device authentication information is obtained by the platform gateway from the device to be authenticated by using the configuration authentication information.

Optionally, the sending unit is further configured to send the configuration end acknowledgement value and the configuration end random number to the platform gateway.

Optionally, the sending unit is further configured to send the configuration end acknowledgement value to the platform gateway; and after receiving the confirmation value of the equipment end, sending the random number of the configuration end to the platform gateway.

Optionally, the authentication unit is further configured to perform access authentication on the device to be authenticated based on the confirmation key and the device authentication information if the device authentication information and the configuration authentication information are different.

Optionally, the authentication unit is further configured to calculate a device-side authentication value based on the authentication key and the device-side random number; comparing the calculated equipment end confirmation value with the received equipment end confirmation value, and authenticating to pass under the condition that the calculated equipment end confirmation value is the same as the received equipment end confirmation value.

The first platform cloud 30 of the embodiment of the present application can implement the corresponding function of the first platform cloud in the foregoing method embodiment. The flow, function, implementation and beneficial effects corresponding to each module (sub-module, unit or assembly, etc.) in the first platform cloud 30 can be referred to the corresponding description in the above embodiment of the method 300, which is not repeated here. It should be noted that, the functions described with respect to the respective modules (sub-modules, units, or components, etc.) in the first platform cloud 30 of the application embodiment may be implemented by different modules (sub-modules, units, or components, etc.), or may be implemented by the same module (sub-module, unit, or component, etc.).

Fig. 13 is a schematic block diagram of a second platform cloud 40 according to an embodiment of the present application. The second platform cloud 40 may include:

a processing unit 401 for generating a confirmation key and configuration authentication information based on the key parameter;

a sending unit 402, configured to send the configuration authentication information to a platform gateway through a first platform cloud;

an authentication unit 403, configured to perform access authentication on the device to be authenticated based on the confirmation key and the device authentication information.

Optionally, as shown in fig. 14, the second platform cloud further includes: a first receiving unit 404, configured to receive the key parameter from the first platform cloud, where the key parameter is obtained by the first platform cloud from a platform gateway.

Optionally, the second platform cloud further comprises: a second receiving unit 405, configured to receive the device authentication information from the first platform cloud, where the device authentication information is acquired by the second platform cloud from the platform gateway through the first platform cloud, and the device authentication information is acquired by the platform gateway from the device to be authenticated by using the configuration authentication information.

Optionally, the sending unit is further configured to send the configuration end confirmation value and the configuration end random number to the first platform cloud, and the first platform cloud sends the configuration end confirmation value and the configuration end random number to the platform gateway.

Optionally, the sending unit is further configured to send the configuration end confirmation value and the configuration end random number to the first platform cloud, where the first platform cloud sends the configuration end confirmation value to the platform gateway, and the first platform cloud sends the configuration end random number to the platform gateway after receiving the device end confirmation value.

The second platform cloud 40 of the embodiment of the present application can implement the corresponding function of the second platform cloud in the foregoing embodiment of the method 400. The flow, function, implementation and beneficial effects corresponding to each module (sub-module, unit or assembly, etc.) in the second platform cloud 40 can be referred to the corresponding description in the above method embodiments, and will not be repeated here. It should be noted that, the functions described with respect to the respective modules (sub-modules, units, or components, etc.) in the second platform cloud 40 of the application embodiment may be implemented by different modules (sub-modules, units, or components, etc.), or may be implemented by the same module (sub-module, unit, or component, etc.).

Fig. 15 is a schematic structural diagram of a communication apparatus 600 according to an embodiment of the present application. The communication device 600 comprises a processor 610, which processor 610 may call and run a computer program from a memory to cause the communication device 600 to implement the methods in embodiments of the present application.

Optionally, the communication device 600 may further comprise a memory 620. Wherein the processor 610 may invoke and run a computer program from the memory 620 to cause the communication device 600 to implement the method in the embodiments of the present application.

The memory 620 may be a separate device from the processor 610 or may be integrated into the processor 610.

Optionally, the communication device 600 may further include a transceiver 630, and the processor 610 may control the transceiver 630 to communicate with other devices, and in particular, may send information or data to other devices, or receive information or data sent by other devices.

The transceiver 630 may include a transmitter and a receiver, among others. Transceiver 630 may further include antennas, the number of which may be one or more.

Optionally, the communication device 600 may be a device to be authenticated, a platform gateway, or a platform cloud in the embodiments of the present application, and the communication device 600 may implement corresponding flows implemented by the device to be authenticated, the platform gateway, or the platform cloud in each method in the embodiments of the present application, which are not described herein for brevity.

Fig. 16 is a schematic structural diagram of a chip 700 according to an embodiment of the present application. The chip 700 includes a processor 710, and the processor 710 may call and run a computer program from a memory to implement the methods of the embodiments of the present application.

Optionally, chip 700 may also include memory 720. The processor 710 may call and run a computer program from the memory 720 to implement a method performed by a device to be authenticated, a platform gateway, or a platform cloud in the embodiments of the present application.

Wherein the memory 720 may be a separate device from the processor 710 or may be integrated into the processor 710.

Optionally, the chip 700 may also include an input interface 730. The processor 710 may control the input interface 730 to communicate with other devices or chips, and in particular, may obtain information or data sent by other devices or chips.

Optionally, the chip 700 may further include an output interface 740. The processor 710 may control the output interface 740 to communicate with other devices or chips, and in particular, may output information or data to other devices or chips.

Optionally, the chip may be applied to the device to be authenticated, the platform gateway, or the platform cloud in the embodiments of the present application, and the chip may implement a corresponding flow implemented by the device to be authenticated, the platform gateway, or the platform cloud in each method in the embodiments of the present application, which is not described herein for brevity.

The chips applied to the device to be authenticated, the platform gateway, and the platform cloud may be the same chip or different chips.

It should be understood that the chips referred to in the embodiments of the present application may also be referred to as system-on-chip chips, or the like.

The processors mentioned above may be general purpose processors, digital signal processors (digital signal processor, DSP), off-the-shelf programmable gate arrays (field programmable gate array, FPGA), application specific integrated circuits (application specific integrated circuit, ASIC) or other programmable logic devices, transistor logic devices, discrete hardware components, etc. The general-purpose processor mentioned above may be a microprocessor or any conventional processor.

The memory mentioned above may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM).

It should be understood that the above memory is exemplary but not limiting, and for example, the memory in the embodiments of the present application may be Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), direct RAM (DR RAM), and the like. That is, the memory in embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.

Fig. 17 is a schematic block diagram of a communication system 800 according to an embodiment of the present application. The communication system 800 includes a platform gateway 810 and a platform cloud 820.

A platform gateway 810 for sending key parameters to a platform cloud, the key parameters being used to generate a validation key and configuration authentication information at the platform cloud; receiving the configuration authentication information from the platform cloud; and sending equipment authentication information to the platform cloud based on the configuration authentication information so as to perform access authentication on equipment to be authenticated based on the confirmation key and the equipment authentication information in the platform cloud.

Ping Taiyun 820, a module for generating a validation key and configuration authentication information based on the key parameters; sending the configuration authentication information to a platform gateway; and carrying out access authentication on the equipment to be authenticated based on the confirmation key and the equipment authentication information from the platform gateway.

The platform gateway 810 may be used to implement the corresponding functions implemented by the platform gateway in the above method. The platform cloud 820 may be used to implement the respective functions implemented by the platform cloud 830, e.g., the first platform cloud and/or the second platform cloud, in the methods described above. For brevity, the description is omitted here.

Optionally, the system may include a device to be authenticated 830 for sending device authentication information to the platform gateway. The device to be authenticated 830 may be used to implement the corresponding functions implemented by the device to be authenticated such as the a company device or the B company device in the above-described method,

Optionally, in the system, the first platform cloud is configured to generate a validation key and configuration authentication information based on the key parameter; sending the configuration authentication information to a platform gateway; and carrying out access authentication on the equipment to be authenticated based on the confirmation key and the equipment authentication information from the platform gateway.

Optionally, in the system, the second platform cloud generates a confirmation key and configuration authentication information based on the key parameter; the configuration authentication information is sent to a platform gateway through a first platform cloud; and carrying out access authentication on the equipment to be authenticated based on the confirmation key and the equipment authentication information.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (Digital Subscriber Line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), or the like.

It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

The foregoing is merely a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions should be covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

An access authentication method, comprising:

the platform gateway sends key parameters to a platform cloud, wherein the key parameters are used for generating a confirmation key and configuration authentication information in the platform cloud;

the platform gateway receives the configuration authentication information from the platform cloud;

And the platform gateway sends equipment authentication information to the platform cloud based on the configuration authentication information so as to carry out access authentication on equipment to be authenticated based on the confirmation key and the equipment authentication information in the platform cloud.
The method of claim 1, wherein the key parameters comprise a shared root key and/or a validation salt value.
The method of claim 1 or 2, wherein the device authentication information comprises: a device-side acknowledgement value and/or a device-side random number.
A method according to any one of claims 1 to 3, wherein the configuration authentication information comprises a configuration side acknowledgement value and/or a configuration side random number.
The method of claim 4, wherein the platform gateway receiving the configuration authentication information from the platform cloud comprises: and the platform gateway receives the configuration end confirmation value and the configuration end random number from the platform cloud.
The method of claim 4, wherein the platform gateway receiving the configuration authentication information from the platform cloud comprises:

the platform gateway receives the configuration end confirmation value from the platform cloud;

and the platform gateway receives the random number from the configuration end of the platform cloud after sending the equipment end confirmation value to the platform cloud.
The method according to claim 5 or 6, wherein the method further comprises:

the platform gateway sends the configuration end confirmation value to the equipment to be authenticated;

receiving an equipment end confirmation value from the equipment to be authenticated;

and the platform gateway sends the equipment end confirmation value to the platform cloud.
The method of claim 7, wherein the method further comprises:

the platform gateway sends the configuration terminal random number to the equipment to be authenticated so as to authenticate the configuration terminal confirmation value based on the configuration terminal random number in the equipment to be authenticated;

the platform gateway receives the equipment terminal random number from the equipment to be authenticated;

and the platform gateway sends the equipment-side random number to the platform cloud.
The method of any one of claims 1 to 8, wherein the platform cloud comprises a first platform cloud and a second platform cloud; the platform gateway sends key parameters to the platform cloud, including: and the platform gateway sends the key parameter to the second platform cloud through the first platform cloud.
The method of claim 9, wherein the platform gateway receiving the configuration authentication information from the platform cloud comprises: the platform gateway receives a configuration end confirmation value and a configuration end random number from the first platform cloud, wherein the configuration end confirmation value and the configuration end random number are received by the first platform cloud from the second platform cloud.
The method of claim 9, wherein the platform gateway receiving the configuration authentication information from the platform cloud comprises:

the platform gateway receives a configuration end confirmation value from the first platform cloud;

the platform gateway receives a configuration terminal random number from the first platform cloud after sending a device terminal confirmation value to the first platform cloud;

wherein the configuration side confirmation value and the configuration side random number are received by the first platform cloud from the second platform cloud.
An access authentication method, comprising:

the first platform cloud generates a confirmation key and configuration authentication information based on the key parameter;

the first platform cloud sends the configuration authentication information to a platform gateway;

and the first platform cloud performs access authentication on equipment to be authenticated based on the confirmation key and equipment authentication information from the platform gateway.
The method of claim 12, wherein the method further comprises: the first platform cloud receives key parameters from the platform gateway.
The method according to claim 12 or 13, wherein the method further comprises: and the first platform cloud receives equipment authentication information from the platform gateway, wherein the equipment authentication information is acquired from the equipment to be authenticated by the platform gateway through the configuration authentication information.
The method according to any of claims 12 to 14, wherein the key parameters comprise a shared root key and/or a validation salt value.
The method of any of claims 12-15, wherein the device authentication information comprises: a device-side acknowledgement value and/or a device-side random number.
The method according to any of claims 12 to 16, wherein the configuration authentication information comprises a configuration side acknowledgement value and/or a configuration side random number.
The method of claim 17, wherein the first platform cloud sending the configuration authentication information to a platform gateway comprises: and the first platform cloud sends the configuration end confirmation value and the configuration end random number to the platform gateway.
The method of claim 17, wherein the first platform cloud sending the configuration authentication information to a platform gateway comprises:

the first platform cloud sends the configuration end confirmation value to the platform gateway;

and after receiving the confirmation value of the equipment end, the first platform cloud sends the configuration end random number to the platform gateway.
The method of any of claims 12 to 19, wherein the first platform cloud access authenticates a device to be authenticated based on the validation key and device authentication information from the platform gateway, comprising: and under the condition that the equipment authentication information and the configuration authentication information are different, the first platform cloud performs access authentication on the equipment to be authenticated based on the confirmation key and the equipment authentication information.
The method of claim 20, wherein the device authentication information and the configuration authentication information are different comprises at least one of:

the equipment end confirmation value and the configuration end confirmation value are different;

the random numbers at the equipment end and the random numbers at the configuration end are different.
The method of any of claims 12-21, wherein the first platform cloud access-authenticates the device to be authenticated based on the validation key and the device authentication information, comprising:

the first platform cloud calculates a device-side confirmation value based on the confirmation key and the device-side random number;

and comparing the calculated equipment end confirmation value with the received equipment end confirmation value by the first platform cloud, and passing authentication under the condition that the calculated equipment end confirmation value is the same as the received equipment end confirmation value.
An access authentication method, comprising:

the second platform cloud generates a confirmation key and configuration authentication information based on the key parameter;

the second platform cloud sends the configuration authentication information to a platform gateway through the first platform cloud;

and the second platform cloud performs access authentication on the equipment to be authenticated based on the confirmation key and the equipment authentication information.
The method of claim 23, wherein the method further comprises: the second platform cloud receives the key parameter from the first platform cloud, the key parameter being obtained by the first platform cloud from a platform gateway.
The method of claim 23 or 24, wherein the method further comprises: the second platform cloud receives the device authentication information from a first platform cloud, the device authentication information is obtained by the second platform cloud from the platform gateway through the first platform cloud, and the device authentication information is obtained by the platform gateway from the device to be authenticated by using the configuration authentication information.
The method of any of claims 23 to 25, wherein the key parameters comprise a shared root key and/or a validation salt value.
The method of any of claims 23-26, wherein the device authentication information comprises: a device-side acknowledgement value and/or a device-side random number.
The method of any of claims 23 to 27, wherein the configuration authentication information comprises a configuration side acknowledgement value and/or a configuration side random number.
The method of claim 28, wherein the second platform cloud sending the configuration authentication information to a platform gateway through a first platform cloud comprises: the second platform cloud sends the configuration end confirmation value and the configuration end random number to the first platform cloud, and the first platform cloud sends the configuration end confirmation value and the configuration end random number to the platform gateway.
The method of claim 28, wherein the second platform cloud sending the configuration authentication information to a platform gateway through a first platform cloud comprises: the second platform cloud sends the configuration end confirmation value and the configuration end random number to the first platform cloud, the first platform cloud sends the configuration end confirmation value to the platform gateway, and the first platform cloud sends the configuration end random number to the platform gateway after receiving the equipment end confirmation value.
The method of any of claims 23 to 30, wherein the second platform cloud access-authenticates a device to be authenticated based on the validation key and device authentication information, comprising: and under the condition that the equipment authentication information and the configuration authentication information are different, the second platform cloud performs access authentication on equipment to be authenticated based on the confirmation key and the equipment authentication information.
The method of claim 31, wherein the device authentication information and the configuration authentication information are different comprises at least one of:

the equipment end confirmation value and the configuration end confirmation value are different;

the random numbers at the equipment end and the random numbers at the configuration end are different.
The method of any of claims 23 to 32, wherein the second platform cloud access-authenticates a device to be authenticated based on the validation key and device authentication information, comprising:

the second platform cloud calculates a device-side confirmation value based on the confirmation key and the device-side random number;

and comparing the calculated equipment end confirmation value with the received equipment end confirmation value by the second platform cloud, and passing authentication under the condition that the calculated equipment end confirmation value is the same as the received equipment end confirmation value.
A platform gateway, comprising:

the system comprises a sending unit, a platform cloud, a configuration authentication unit and a configuration authentication unit, wherein the sending unit is used for sending key parameters to the platform cloud, and the key parameters are used for generating a confirmation key and configuration authentication information in the platform cloud;

a receiving unit, configured to receive the configuration authentication information from the platform cloud;

the sending unit is further configured to send device authentication information to the platform cloud based on the configuration authentication information, so that access authentication is performed on the device to be authenticated based on the confirmation key and the device authentication information in the platform cloud.
The platform gateway of claim 34, wherein the key parameter comprises a shared root key and/or a validation salt value.
The platform gateway according to claim 34 or 35, wherein the device authentication information comprises: a device-side acknowledgement value and/or a device-side random number.
The platform gateway according to any one of claims 34 to 36, wherein the configuration authentication information comprises a configuration side acknowledgement value and/or a configuration side random number.
The platform gateway of claim 37, wherein the receiving unit is further configured to receive the configuration side acknowledgement value and the configuration side nonce from the platform cloud.
The platform gateway of claim 37, wherein the receiving unit is further configured to receive the configuration end acknowledgement value from the platform cloud; and after the device-side confirmation value is sent to the platform cloud, receiving the configuration-side random number from the platform cloud.
The platform gateway according to claim 38 or 39, wherein the sending unit is further configured to send the configuration end acknowledgement value to the device to be authenticated;

the receiving unit is further used for receiving a device end confirmation value from the device to be authenticated;

the sending unit is further configured to send the device-side acknowledgement value to the platform cloud.
The platform gateway of claim 40, wherein the receiving unit is further configured to receive a device-side nonce from the device to be authenticated;

The sending unit is further configured to send the device-side random number to the platform cloud.
The platform gateway according to any one of claims 34 to 41, wherein the platform cloud comprises a first platform cloud and a second platform cloud; the sending unit is further configured to send the key parameter to the second platform cloud through the first platform cloud.
The platform gateway of claim 42, wherein the receiving unit is further configured to receive a configuration end confirmation value and a configuration end random number from the first platform cloud, the configuration end confirmation value and configuration end random number being received by the first platform cloud from the second platform cloud.
The platform gateway according to claim 43, wherein the receiving unit is further configured to receive a configuration end acknowledgement value from the first platform cloud; after a device-side confirmation value is sent to the first platform cloud, receiving a configuration-side random number from the first platform cloud;

wherein the configuration side confirmation value and the configuration side random number are received by the first platform cloud from the second platform cloud.
A first platform cloud, comprising:

a processing unit for generating a confirmation key and configuration authentication information based on the key parameter;

A sending unit, configured to send the configuration authentication information to a platform gateway;

and the authentication unit is used for carrying out access authentication on the equipment to be authenticated based on the confirmation key and the equipment authentication information from the platform gateway.
The first platform cloud of claim 45, wherein said first platform cloud further comprises:

and the first receiving unit is used for receiving the key parameters from the platform gateway.
The first platform cloud of claim 45 or 46, wherein the first platform cloud further comprises:

and the second receiving unit is used for receiving equipment authentication information from the platform gateway, wherein the equipment authentication information is acquired from the equipment to be authenticated by the platform gateway through the configuration authentication information.
The first platform cloud of any of claims 45-47, wherein the key parameter comprises a shared root key and/or a validation salt value.
The first platform cloud of any of claims 45 to 48, wherein the device authentication information comprises: a device-side acknowledgement value and/or a device-side random number.
The first platform cloud of any of claims 45-49, wherein the configuration authentication information comprises a configuration side acknowledgement value and/or a configuration side random number.
The first platform cloud of claim 50, wherein the sending unit is further configured to send the configuration side acknowledgement value and the configuration side random number to the platform gateway.
The first platform cloud of claim 50, wherein the sending unit is further configured to send the configuration end acknowledgement value to the platform gateway; and after receiving the confirmation value of the equipment end, sending the random number of the configuration end to the platform gateway.
The first platform cloud of any of claims 45 to 52, wherein the authentication unit is further configured to access-authenticate the device to be authenticated based on the validation key and the device authentication information if the device authentication information and the configuration authentication information are different.
The first platform cloud of claim 53, wherein the device authentication information and the configuration authentication information are different, including at least one of:

the equipment end confirmation value and the configuration end confirmation value are different;

the random numbers at the equipment end and the random numbers at the configuration end are different.
The first platform cloud of any of claims 45 to 54, wherein the authentication unit is further to calculate a device-side validation value based on the validation key and a device-side random number; comparing the calculated equipment end confirmation value with the received equipment end confirmation value, and authenticating to pass under the condition that the calculated equipment end confirmation value is the same as the received equipment end confirmation value.
A second platform cloud, comprising:

a processing unit for generating a confirmation key and configuration authentication information based on the key parameter;

the sending unit is used for sending the configuration authentication information to the platform gateway through the first platform cloud;

and the authentication unit is used for carrying out access authentication on the equipment to be authenticated based on the confirmation key and the equipment authentication information.
The second platform cloud of claim 56, wherein said second platform cloud further comprises:

and the first receiving unit is used for receiving the key parameter from the first platform cloud, wherein the key parameter is acquired from a platform gateway by the first platform cloud.
The second platform cloud of claim 56 or 57, wherein the second platform cloud further comprises:

the second receiving unit is used for receiving the equipment authentication information from the first platform cloud, the equipment authentication information is obtained from the platform gateway by the second platform cloud through the first platform cloud, and the equipment authentication information is obtained from the equipment to be authenticated by the platform gateway through the configuration authentication information.
The second platform cloud of any of claims 56 to 58, wherein the key parameters comprise a shared root key and/or a validation salt value.
The second platform cloud of any of claims 56 to 59, wherein the device authentication information comprises: a device-side acknowledgement value and/or a device-side random number.
The second platform cloud of any of claims 56 to 60, wherein the configuration authentication information comprises a configuration side acknowledgement value and/or a configuration side random number.
The second platform cloud of claim 61, wherein the sending unit is further configured to send the configuration end confirmation value and the configuration end random number to the first platform cloud, and send the configuration end confirmation value and the configuration end random number to the platform gateway by the first platform cloud.
The second platform cloud according to claim 61, wherein the sending unit is further configured to send the configuration end confirmation value and the configuration end random number to the first platform cloud, send the configuration end confirmation value to the platform gateway by the first platform cloud, and send the configuration end random number to the platform gateway after receiving the device end confirmation value by the first platform cloud.
The second platform cloud according to any of claims 56 to 63, wherein the authentication unit is further configured to access-authenticate a device to be authenticated based on the validation key and the device authentication information if the device authentication information and the configuration authentication information are different.
The second platform cloud of claim 64, wherein the device authentication information and the configuration authentication information are different, including at least one of:

the equipment end confirmation value and the configuration end confirmation value are different;

the random numbers at the equipment end and the random numbers at the configuration end are different.
The second platform cloud of any of claims 56 to 65, wherein the authentication unit is further for calculating a device-side validation value based on the validation key and a device-side random number; comparing the calculated equipment end confirmation value with the received equipment end confirmation value, and authenticating to pass under the condition that the calculated equipment end confirmation value is the same as the received equipment end confirmation value.
A platform gateway, comprising: a processor and a memory for storing a computer program, the processor being adapted to invoke and run the computer program stored in the memory to cause the platform gateway to perform the method according to any of claims 1 to 11.
A platform cloud, comprising: a processor and a memory for storing a computer program, the processor for invoking and running the computer program stored in the memory to cause the platform cloud to perform the method of any of claims 12 to 33.
A chip, comprising: a processor for calling and running a computer program from a memory, causing a device on which the chip is mounted to perform the method of any one of claims 1 to 11.
A chip, comprising: a processor for calling and running a computer program from a memory, causing a device on which the chip is mounted to perform the method of any of claims 12 to 33.
A computer readable storage medium storing a computer program which, when executed by a device, causes the device to perform the method of any one of claims 1 to 11.
A computer readable storage medium storing a computer program which, when executed by a device, causes the device to perform the method of any one of claims 12 to 33.
A computer program product comprising computer program instructions for causing a computer to perform the method of any one of claims 1 to 11.
A computer program product comprising computer program instructions for causing a computer to perform the method of any one of claims 12 to 33.
A computer program which causes a computer to perform the method of any one of claims 1 to 1.
A computer program which causes a computer to perform the method of any of claims 12 to 33.