CN116566625B - Equipment attribution information generation method and system - Google Patents
Equipment attribution information generation method and system Download PDFInfo
- Publication number
- CN116566625B CN116566625B CN202310840846.5A CN202310840846A CN116566625B CN 116566625 B CN116566625 B CN 116566625B CN 202310840846 A CN202310840846 A CN 202310840846A CN 116566625 B CN116566625 B CN 116566625B
- Authority
- CN
- China
- Prior art keywords
- equipment
- information
- public key
- manufacturing station
- hash value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000004519 manufacturing process Methods 0.000 claims abstract description 123
- 238000012795 verification Methods 0.000 claims abstract description 53
- 230000004044 response Effects 0.000 claims abstract description 35
- 238000004458 analytical method Methods 0.000 claims description 44
- 238000004422 calculation algorithm Methods 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 16
- 230000008520 organization Effects 0.000 claims description 9
- 230000008929 regeneration Effects 0.000 claims description 8
- 238000011069 regeneration method Methods 0.000 claims description 8
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 claims description 4
- 230000002093 peripheral effect Effects 0.000 description 10
- 238000012546 transfer Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000001172 regenerating effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Abstract
The application discloses a method and a system for generating equipment attribution information, comprising the following steps: the method comprises the steps that an Internet of things device obtains a token from a manufacturing station, assembles a credential generation request based on the token and manufacturing station information and CSR data obtained from internal storage, and sends the request to the manufacturing station; if the manufacturing station verification token is successful, judging whether the device certificate exists in the manufacturing station, and if the device certificate does not exist, generating the device certificate according to the CSR data; the manufacturing station assembles an initial attribution information header message of the equipment according to a pre-stored manufacturing station public key and an equipment certificate and returns the initial attribution information header message to the equipment of the Internet of things; the method comprises the steps that the equipment of the Internet of things calculates a hash message authentication code of an initial attribution information header message of the equipment and assembles a credential setting response message to send to a manufacturing station; and if the manufacturing station verification token is successful, generating entry information, and assembling the equipment initial attribution information according to the equipment initial attribution information header message, the equipment certificate and the entry information. By adopting the method provided by the application, the legitimacy and the safety of the Internet of things equipment can be ensured.
Description
Technical Field
The present application relates to the field of information security, and in particular, to a method and a system for generating device attribution information.
Background
At present, in the stage of the high-speed development of the positive internet of things, various internet of things terminal products are layered endlessly and the security protocol realizes five-flower eight doors, and some terminal products even have no security, so that the security of the internet of things terminal products faces a great challenge.
Most of the existing terminal products of the Internet of things are directly burnt with equipment information in factories, and once the equipment information is burnt, the relationship is basically unchangeable unless the equipment returns to the factories for maintenance and other special conditions. The existing mode is not friendly in the aspects of equipment production safety, equipment affiliated relation proof and the like.
Disclosure of Invention
The embodiment of the application provides a method and a system for generating equipment attribution information, wherein the technical scheme is as follows:
in a first aspect, an embodiment of the present application provides a method for generating device attribution information, where the method is applied to a system formed by an internet of things device and a manufacturing station, and includes:
step S1: the internet of things device acquires a token from the manufacturing station, assembles the token, manufacturing station information, CSR data, device description information, a device serial number and device public key information acquired from internal storage, generates a credential request core message, encrypts the credential request core message by using a device private key to acquire a credential generation request, and sends the credential generation request to the manufacturing station, wherein the device public key information comprises a public key type and a public key code;
Step S2: the manufacturing station decrypts the credential generation request by using a prestored device public key to obtain the CSR data, the device description information, the device public key information and the token, verifies the token, judges whether a device certificate corresponding to the Internet of things device exists in the manufacturing station if the verification is successful, generates the device certificate corresponding to the Internet of things device according to the decrypted CSR data if the device certificate does not exist, stores the device certificate and the device description information correspondingly, and executes step S3, and if the verification fails, ends;
step S3: the manufacturing station acquires a pre-stored manufacturing station public key, a device identifier and server information, performs hash operation on the device certificate to acquire a first hash value, and performs coding processing on the initial equipment attribution information head message according to an on-board protocol version, the first hash value, the manufacturing station public key, the device description information acquired by decryption, the device identifier and the initial equipment attribution information head message of the server information assembly device to acquire a first coding result, and returns the first coding result to the Internet of things device, wherein the server information is information of an authentication center server and is used for an Internet of things device registration stage;
Step S4: the internet of things device decodes the received first coding result to obtain the initial home information header message of the device, calculates a hash information authentication code of the initial home information header message of the device, assembles a credential setting response message based on the hash information authentication code and the token, and sends the credential setting response message to the manufacturing station;
step S5: the manufacturing station analyzes the certificate setting response message to obtain the hash message authentication code and the token, verifies the token, generates item information if verification is successful, assembles and stores the initial item information according to the on-board protocol version, the initial equipment attribution information header message, the hash message authentication code, the equipment certificate and the item information, and ends if verification fails.
In a second aspect, an embodiment of the present application provides a device attribution information generating system, where the system includes an internet of things device and a manufacturing station, the internet of things device includes a request generating module and a response module, and the manufacturing station includes a certificate generating module, an information head organizing module, and an attribution information generating module, where:
The request generation module is used for acquiring a token from the manufacturing station, assembling the token, manufacturing station information, CSR data, equipment description information, equipment serial numbers and equipment public key information acquired from internal storage, generating a credential request core message, encrypting the credential request core message by using an equipment private key to obtain a credential generation request, and sending the credential generation request to the manufacturing station, wherein the equipment public key information comprises a public key type and a public key code;
the certificate generation module is used for decrypting the certificate generation request by utilizing a prestored device public key to obtain the CSR data, the device description information, the device public key information and the token, verifying the token, judging whether a device certificate corresponding to the Internet of things device exists in the device or not if the device certificate is successful in verification, generating a device certificate corresponding to the Internet of things device according to the decrypted CSR data if the device certificate does not exist in the device certificate, correspondingly storing the device certificate and the device description information, triggering the information head organization module, and ending if the verification fails;
the information head organization module is used for acquiring a prestored manufacturing station public key, equipment identification and server information, carrying out hash operation on the equipment certificate to obtain a first hash value, and carrying out encoding processing on the equipment initial attribution information head message according to an onboard protocol version, the first hash value, the manufacturing station public key, the equipment description information obtained by decryption, the equipment identification and the server information assembly equipment initial attribution information head message to obtain a first encoding result, and returning the first encoding result to the Internet of things equipment, wherein the server information is information of an authentication center server and is used for an Internet of things equipment registration stage;
The response module is used for decoding the received first coding result to obtain the equipment initial attribution information head message, calculating a hash information authentication code of the equipment initial attribution information head message, assembling a credential setting response message based on the hash information authentication code and the token, and sending the credential setting response message to the manufacturing station;
the attribution information generating module is used for analyzing the certificate setting response message to obtain the hash information authentication code and the token, verifying the token, generating item information if verification is successful, assembling and storing the initial attribution information of the equipment according to the on-board protocol version, the initial attribution information header message of the equipment, the hash information authentication code, the equipment certificate and the item information, and ending if verification fails.
In a third aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of any of the methods described above.
In a fourth aspect, an embodiment of the present application provides an internet of things device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of any of the methods described above when the processor executes the program.
The technical scheme provided by the embodiments of the application has the beneficial effects that at least:
according to the application, the equipment attribution information is generated, managed and distributed through the manufacturing station, and the mechanism can avoid a manual registration and warehousing link, so that the equipment attribution relation can be traced, and the equipment of the Internet of things can be transported and distributed more safely. By adopting the method provided by the application, the legitimacy and the safety of the Internet of things equipment can be ensured.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 to fig. 4 are schematic flow diagrams of a device attribution information generating method according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the following detailed description of the embodiments of the present application will be given with reference to the accompanying drawings.
When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of systems and methods that are consistent with aspects of the application as detailed in the accompanying claims.
In the description of the present application, it should be understood that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. The specific meaning of the above terms in the present application will be understood in specific cases by those of ordinary skill in the art. Furthermore, in the description of the present application, unless otherwise indicated, "a plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.
The method for generating the device attribution information provided by the embodiment of the application will be described in detail with reference to fig. 1 to fig. 4.
Fig. 1 to fig. 4 are schematic flow diagrams of a method for generating device attribution information according to an embodiment of the present application.
The method provided by the application is applied to a system formed by the Internet of things equipment, a manufacturing station, a service end, an owner end and a client end, and as shown in fig. 1-4, the method can comprise the following steps:
step S1: the internet of things equipment assembles manufacturing station information, CSR data, equipment description information, equipment serial numbers, equipment public key information and tokens which are acquired from internal storage to generate a credential request core message, encrypts the credential request core message by using the equipment private key to acquire a credential generation request, and sends the credential generation request to the manufacturing station.
Wherein the device public key information includes a public key type and a public key encoding.
The credential request core message is, for example:
{
"manufacturingInfo":{
"certInfo": {
"object":"-----BEGIN CERTIFICATE REQUEST-----
MIIBKjCB0AIBADBGMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHYmVpamluZzEQMA4G
A1UEBxMHYmVpamluZzETMBEGA1UEAxMKZnRzYWZlLmNvbTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABJ+ANejh8d6Y21sgxLa3017v41j9iTyCoQ4LqEbTZzf+7gPL
+ExjJhTM8ghzset8ivcu+76CXWuMKx+d/wevcaOgKDAmBgkqhkiG9w0BCQ4xGTAX
MBUGA1UdEQQOMAyCCmZ0c2FmZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKILqXib
oZfI4xriwJsILxC4hEs7cdTjtplP1L9v/q9xAiEAj7yypzeh83r/OyQDcQuPPJhY
T2b6lWoKQwMGqvz/eyY=
-----END CERTIFICATE REQUEST-----"
},
"deviceInfo": "DemoDevice",
"keyEnc": "X509",
"keyType": "SECP256R1",
"serialNumber": "202208231515025"
}
}
before step S1, the method further includes:
step Y1: the service end receives an application request sent by the owner end, creates an application, generates application information and sends the application information to the owner end.
The application information includes an application identification and an application key.
The application information is, for example:
{
"appkey":"4E9CD1672503C32B6162"
"appsecret":"m3jyUy6P3S7XKHHnktA=="
}
step Y2: the owner end stores the application information.
In a possible embodiment, before step S1, the method further includes:
step A1: and the Internet of things equipment generates domain name information and acquires the position information of the equipment.
The domain name information is, for example: CN.
The location information of the device is, for example:
"Organization":"feitian",
"Locality":"beijing",
"State":"beijing",
"Country":"CN",
step A2: and the internet of things equipment generates CSR data according to the domain name information, the position information and the second preset algorithm and stores the CSR data.
The second preset algorithm is specifically an ECDSA algorithm.
The CSR data generated is, for example:
-----BEGIN CERTIFICATE REQUEST-----
MIIBKjCB0AIBADBGMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHYmVpamluZzEQMA4G
A1UEBxMHYmVpamluZzETMBEGA1UEAxMKZnRzYWZlLmNvbTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABJ+ANejh8d6Y21sgxLa3017v41j9iTyCoQ4LqEbTZzf+7gPL
+ExjJhTM8ghzset8ivcu+76CXWuMKx+d/wevcaOgKDAmBgkqhkiG9w0BCQ4xGTAX
MBUGA1UdEQQOMAyCCmZ0c2FmZS5jb20wCgYIKoZIzj0EAwIDSQAwRgIhAKILqXib
oZfI4xriwJsILxC4hEs7cdTjtplP1L9v/q9xAiEAj7yypzeh83r/OyQDcQuPPJhY
T2b6lWoKQwMGqvz/eyY=
-----END CERTIFICATE REQUEST-----
before step S1, the method further includes:
step S1-1: the internet of things equipment generates a token acquisition request according to the internally stored equipment identifier and the equipment public key, performs coding processing on the token acquisition request to obtain a second coding result, and sends the second coding result to the manufacturing station.
The device identity is for example: 20010000001.
the device public key is, for example:
71b31bc0ae9264580d4846fe7f79d2fc0227dc23debd3d01c45fdecd0177ed94531346e54a9cb52d1d349f909e1007feba9e2e8961453329d6498850b2835a18947284650dfb8885984af57ae44115721bcd5e9bf0f04e3bbe0f926b4ae0d358f8b7f7791102869664a9da088c7c32230cd90399a35ae4a53f77e7849e9f983e
the encoding process for the token acquisition request is specifically CBOR encoding.
Step S1-2: the manufacturing station decodes the second coding result to obtain a token acquisition request, generates a token according to the token acquisition request, assembles a token response message, and returns the token response message to the Internet of things equipment.
The tokens generated are, for example:
3045022100a3b3225fe43e2a808d243b47f254777c354461121a6c5049914df780a539bc4302207506cfe5846223aa31935a95512e3613834932db92630e0ea7e692ff5447e8e1
step S1-3: and the Internet of things equipment analyzes the token response message to obtain a token and stores the token.
In a possible embodiment, before step S1-1, the method further comprises:
step T: and inquiring whether the device key pair is stored in the Internet of things device, if not, generating the device key pair by using a first preset algorithm, storing the device key pair, executing the step S1-1, and if yes, executing the step S1-1.
The first preset algorithm is specifically an ECC algorithm.
The device key pair includes a device public key and a device private key.
Step S2: the manufacturing station obtains CSR data, equipment description information, equipment public key information and a token by utilizing a prestored equipment public key decryption certificate generation request, verifies the token, judges whether the equipment certificate corresponding to the equipment of the Internet of things exists or not if the verification is successful, and ends if the equipment certificate exists, generates the equipment certificate corresponding to the equipment of the Internet of things according to the decrypted CSR data, stores the equipment certificate corresponding to the equipment description information, and executes step S3, and ends if the verification fails.
In an alternative embodiment, step S2 further includes:
and if the device certificate corresponding to the Internet of things device exists in the local device, ending.
Step S3: the manufacturing station acquires a pre-stored manufacturing station public key, a device identifier and server information, performs hash operation on a device certificate to acquire a first hash value, assembles a device initial attribution information head message according to an on-board protocol version, the first hash value, the manufacturing station public key, device description information acquired by decryption, the device identifier and the server information, performs coding processing on the device initial attribution information head message to acquire a first coding result, and returns the first coding result to the Internet of things device.
The server information is information of an authentication center server and is used in the registration stage of the Internet of things equipment.
The manufacturing station public key is, for example:
BAgIIb2dAfABGSlYwCgYIKoZIzj0EAwIwFDESMBAGA1UEAwwJRmRvRW50aXR5MCAXDTIyMDcyODAxMzQzMVoYDzIwNTIwMjIxMDEzNDMxWjAUMRIwEAYDVQQDDAlGZG9FbnRpdHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATsQzhCHspLHBMtBjJkxU+93WTGpoEduhEpWzu1Qm3BoangzAbeiZwhcRQ1XGbdNOnYRfnCgpftPKnDaanM9dUPMAoGCCqGSM49BAMCA0cAMEQCIEvW7f3sjiE18HnG5BKDc1ytRZkR6hZrszkpO6Vu1J4LAiAwDRYUz9HyeV+atc2Id4klSKxRUPQVU1vBkrgGnuKLTDCCAR0wgcSgAwIBAgIIMv4Jn4ixRdAwCgYIKoZIzj0EAwIwFDESMBAGA1
the first hash value is, for example:
s9ZnEN7eMCrmADtdGhOG3982Sju+2coDk+TS+haPZIA=
the initial home information header message of the device is, for example:
{
"voucherHeader": {
"certHash": {
"hashType": "SHA256",
"hashValue": "/cgPU8g6VNx3SheH41HPSTSlgccuqEty/7B8cmpeO8w="
},
"deviceInfo": "DemoDevice",
"guid": {},
"publicKey": {
"body": {
"object": ""
},
"enc": "X509",
"type": "SECP256R1"
},
"rendezvousInfo": [{
"value": "aTEyNy4wLjAuMQ==",
"variable": "DNS"
}, {
"value": "80",
"variable": "DEV_PORT"
}, {
"value": "192.168.0.2",
"variable": "IP_ADDRESS"
}, {
"value": "80",
"variable": "OWNER_PORT"
} {
"value": "HTTPS",
"variable": "PROTOCOL"
}]
"version": "V101"
}
}
step S4: the internet of things device decodes the received first coding result to obtain an initial home information header message of the device, calculates a hash information authentication code of the initial home information header message of the device, assembles a credential setting response message based on the hash information authentication code and a token, and sends the credential setting response message to the manufacturing station.
The hash message authentication code is, for example:
Juczi1QtAlkrvi3JTpHFc/pqQ2V3HF+ufZdqMm/v0Vs=
step S5: the manufacturing station analyzes the certificate setting response message to obtain the hash message authentication code and the token, verifies the token, generates item information if verification is successful, assembles and stores the initial home information of the equipment according to the on-board protocol version, the initial home information header message of the equipment, the hash message authentication code, the equipment certificate and the item information, and ends if verification fails.
The entry information is, for example:
"entries": [{
"payload": {
"hashprevEntry": "+08zSk0gtLKXttWLCEjMGtV+2bPRYm+n51mc1bKQUPc=",
"hashHdrInfo": "//SO7ZCWUnOc1O+K9HzpwCGrcpYOtKkb4tjwr0IA3dE=",
"pubkey": "BFuXSQMUbI0TiZ+jts9YSI5bQi87GOHx+HHUzdRYcke7yZR9BZuZcLdX2Fab7vdJaJLUnBbHUDrhIowCgYIKoZIzj0EAwIDSAAwRQIhAL4EDFUFv1JMoNZBQpz4LZs8qUktLg82dQjsTJl0lE2MAiBb+fQD7vv3QQI7VBz3ioa8Hz/m3jyUy6P3S7XKHHnktA=="
},
"protectedHeader": "oQEm",
"signature": "ZZoiOCtdZCNRWhGMX8i+Skmp2gX3ZrmoXT5uKy7f6dAIv6DhGyuQARtGzj3mWmCAYTsLZkePrPVA7+WLx501Ng==",
"tag": "COSE_SIGN_1",
"unprotectedHeader": {}
}]
the initial attribution information of the assembled equipment is as follows:
"voucher": {
"certChain": {
"chain": [{
"basicConstraints": -1,
"elements": ["x509.info", "x509.algorithm", "x509.signature", "x509.signed_cert"],
"encoded": "MIIBHTCBxKADAgECAggy/gmfiLFF0DAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAlGZG9FbnRpdHkwIBcNMjIwNzI4MDEzNDMxWhgPMjA1MjAyMjEwMTM0MzFaMBQxEjAQBgNVBAMMCUZkb0VudGl0eTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEa71ejdOBFuXSQMUbI0TiZ+jts9YSI5bQi87GOHx+HHUzdRYcke7yZR9BZuZcLdX2Fab7vdJaJLUnBbHUDrhIowCgYIKoZIzj0EAwIDSAAwRQIhAL4EDFUFv1JMoNZBQpz4LZs8qUktLg82dQjsTJl0lE2MAiBb+fQD7vv3QQI7VBz3ioa8Hz/m3jyUy6P3S7XKHHnktA==",
"encodedInternal": "MIIBHTCBxKADAgECAggy/gmfiLFF0DAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAlGZG9FbnRpdHkwIBcNMjIwNzI4MDEzNDMxWhgPMjA1MjAyMjEwMTM0MzFaMBQxEjAQBgNVBAMMCUZkb0VudGl0eTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEa71ejdOBFuXSQMUbI0TiZ+jts9YSI5bQi87GOHx+HHUzdRYcke7yZR9BZuZcLdX2Fab7vdJaJLUnBbHUDrhIowCgYIKoZIzj0EAwIDSAAwRQIhAL4EDFUFv1JMoNZBQpz4LZs8qUktLg82dQjsTJl0lE2MAiBb+fQD7vv3QQI7VBz3ioa8Hz/m3jyUy6P3S7XKHHnktA==",
......
"payload": "hIIvWCBEqXfLX292SrawWgDqbHzMS3kAa7Qj6R5oQM5s6lN+uYIvWCCpYodNV6SilmgANxHNCAjMOSj+8i1TRhw3rARsqQY0TfaDCgFYWzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGNDwai+L6zgRxHgQzPNqKExP7r/BX2QWrf+g5TVNhPdLXInadFx7JdSBzcZDqNpswfsCH0KYrKKPR9Sf2wyB7g=",
"protectedHeader": "oQEm",
"signature": "mhujAJoU2qzmyPiZzMAWlPy1WD2RFWhn/j2V9RbQR0QnfOqfODb0AmlESmYpsPX4taBFazTojZSn/xLYGzXz4Q==",
"tag": "COSE_SIGN_1",
"unprotectedHeader": {}
}],
"header": "hhhlUEUJzgc4L0JEsfUGWlIdry2BhYIFSmkxMjcuMC4wLjGCA0MZH5CCDEEBggJFRH8AAAGCBEMZH5BqRGVtb0RldmljZYMKAVhbMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7EM4Qh7KSxwTLQYyZMVPvd1kxqaBHboRKVs7tUJtwaGp4MwG3omcIXEUNVxm3TTp2EX5woKX7Typw2mpzPXVD4IvWCD9yA9TyDpU3HdKF4fjUc9JNKWBxy6oS3L/sHxyal47zA==",
"hmac": {
"hashType": "HMAC_SHA256",
"hashValue": "Juczi1QtAlkrvi3JTpHFc/pqQ2V3HF+ufZdqMm/v0Vs="
},
"version": "V101"
}
step SA1: the owner side generates and stores an owner public and private key pair by using a first preset algorithm, generates order information according to the order, the stored application identifier and the owner public key, encrypts the order information by using the application key, and sends the encrypted order information to the service side.
The saved application identifier is, for example:
4E9CD1672503C32B6162
the order is, for example: 10000
The owner public key is as follows:
BFuXSQMUbI0TiZ+jts9YSI5bQi87GOHx+HHUzdRYcke7yZR9BZuZcLdX2Fab7vdJaJLUnBbHUDrhIowCgYIKoZIzj0EAwIDSAAwRQIhAL4EDFUFv1JMoNZBQpz4LZs8qUktLg82dQjsTJl0lE2MAiBb+fQD7vv3QQI7VBz3ioa8Hz/m3jyUy6P3S7XKHHnktA==
the application keys are as follows:
m3jyUy6P3S7XKHHnktA==
step SA2: the service end decrypts the encrypted order information by utilizing the internally stored application key, obtains the application identifier and the owner public key, correspondingly stores the application identifier and the owner public key, generates order placing information based on the order information and sends the order placing information to the manufacturing station.
Step SA3: the manufacturing station analyzes the order information to obtain and store the owner public key.
Step SA4: the manufacturing station carries out hash operation on the initial attribution information header message of the equipment and the hash information authentication code to obtain a second hash value, carries out hash operation on the equipment identifier and the equipment description information to obtain a third hash value, signs the second hash value, the third hash value and the owner public key by using the private key of the manufacturing station to obtain a first signature result, generates expanded equipment first attribution information according to the stored equipment initial attribution information, the owner public key, the second hash value, the third hash value and the first signature result, and sends the expanded equipment first attribution information to the owner side.
The second hash value is, for example:
+08zSk0gtLKXttWLCEjMGtV+2bPRYm+n51mc1bKQUPc=
the third hash value is, for example:
//SO7ZCWUnOc1O+K9HzpwCGrcpYOtKkb4tjwr0IA3dE=
The manufacturing station private key is, for example:
-----BEGIN PRIVATE KEY-----
MIIBVgIBADANBgkqhkiG9w0BAQEFAASCAUAwggE8AgEAAkEA0E7RAcyPyRwZZqp9
3Mipaplq6jTXXZGYojJgKsgKm5DOGVL279UlFqvA2bZFEoESGrt3fPWIWNzKgXwx
gJYpxwIDAQABAkEAiqeb2a23G693fO4JPzfWBR2/m8u2exLZ3UTY3EExRmBF1iAd
GU/NKoXb/qfDo2HpEIB/+hDoBxw40Mgq1w9M2QIhAPRLp3Kk5L0MbP+oeO+aJSIY
lWTKKYebO+65ST83XnYFAiEA2knDyxTeHhJudlTJSgUZanaU4+rmbBMo5VR6l0JJ
PlsCIQDA28Dzts2FmXurUTs4HL7X7gRyr06d6aUkz03OBE4kaQIhAI8wgB0BTUrQ
sGEy8O97NNbffn+boRcX4mW86sW6F62tAiB820bMbeMBzofhtTfAOVol6cNDXrQo
zT3dv3+3PH8kVg==
-----END PRIVATE KEY-----
the first signature result is, for example:
ZZoiOCtdZCNRWhGMX8i+Skmp2gX3ZrmoXT5uKy7f6dAIv6DhGyuQARtGzj3mWmCAYTsLZkePrPVA7+WLx501Ng==
the first home information of the extended device is, for example:
"voucher": {
"certChain": {
"chain": [{
"basicConstraints": -1,
"elements": ["x509.info", "x509.algorithm", "x509.signature", "x509.signed_cert"],
"encoded": "MIIBHTCBxKADAgECAggy/gmfiLFF0DAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAlGZG9FbnRpdHkwIBcNMjIwNzI4MDEzNDMxWhgPMjA1MjAyMjEwMTM0MzFaMBQxEjAQBgNVBAMMCUZkb0VudGl0eTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEa71ejdOBFuXSQMUbI0TiZ+jts9YSI5bQi87GOHx+HHUzdRYcke7yZR9BZuZcLdX2Fab7vdJaJLUnBbHUDrhIowCgYIKoZIzj0EAwIDSAAwRQIhAL4EDFUFv1JMoNZBQpz4LZs8qUktLg82dQjsTJl0lE2MAiBb+fQD7vv3QQI7VBz3ioa8Hz/m3jyUy6P3S7XKHHnktA==",
"encodedInternal": "MIIBHTCBxKADAgECAggy/gmfiLFF0DAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAlGZG9FbnRpdHkwIBcNMjIwNzI4MDEzNDMxWhgPMjA1MjAyMjEwMTM0MzFaMBQxEjAQBgNVBAMMCUZkb0VudGl0eTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEa71ejdOBFuXSQMUbI0TiZ+jts9YSI5bQi87GOHx+HHUzdRYcke7yZR9BZuZcLdX2Fab7vdJaJLUnBbHUDrhIowCgYIKoZIzj0EAwIDSAAwRQIhAL4EDFUFv1JMoNZBQpz4LZs8qUktLg82dQjsTJl0lE2MAiBb+fQD7vv3QQI7VBz3ioa8Hz/m3jyUy6P3S7XKHHnktA==",
......
"entries": [{
"payload": {
"hashprevEntry": "+08zSk0gtLKXttWLCEjMGtV+2bPRYm+n51mc1bKQUPc=",
"hashHdrInfo": "//SO7ZCWUnOc1O+K9HzpwCGrcpYOtKkb4tjwr0IA3dE=",
"pubkey": "BFuXSQMUbI0TiZ+jts9YSI5bQi87GOHx+HHUzdRYcke7yZR9BZuZcLdX2Fab7vdJaJLUnBbHUDrhIowCgYIKoZIzj0EAwIDSAAwRQIhAL4EDFUFv1JMoNZBQpz4LZs8qUktLg82dQjsTJl0lE2MAiBb+fQD7vv3QQI7VBz3ioa8Hz/m3jyUy6P3S7XKHHnktA=="
},
"protectedHeader": "oQEm",
"signature": "ZZoiOCtdZCNRWhGMX8i+Skmp2gX3ZrmoXT5uKy7f6dAIv6DhGyuQARtGzj3mWmCAYTsLZkePrPVA7+WLx501Ng==",
"tag": "COSE_SIGN_1",
"unprotectedHeader": {}
}]
"header": "hhhlUEUJzgc4L0JEsfUGWlIdry2BhYIFSmkxMjcuMC4wLjGCA0MZH5CCDEEBggJFRH8AAAGCBEMZH5BqRGVtb0RldmljZYMKAVhbMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7EM4Qh7KSxwTLQYyZMVPvd1kxqaBHboRKVs7tUJtwaGp4MwG3omcIXEUNVxm3TTp2EX5woKX7Typw2mpzPXVD4IvWCD9yA9TyDpU3HdKF4fjUc9JNKWBxy6oS3L/sHxyal47zA==",
"hmac": {
"hashType": "HMAC_SHA256",
"hashValue": "Juczi1QtAlkrvi3JTpHFc/pqQ2V3HF+ufZdqMm/v0Vs="
},
"version": "V101"
}
step SA5: and the owner end performs validity verification on the expanded first attribution information of the equipment, if the verification is legal, the expanded first attribution information of the equipment is stored, and if the verification is illegal, the operation is finished.
Specifically, step SA5 may include:
step SA5-1: the owner end analyzes the expanded first attribution information of the equipment to obtain an initial attribution information header message, a hash information authentication code, an equipment certificate, an owner public key, a second hash value, a third hash value and a first signature result.
Step SA5-2: the owner side obtains a manufacturing station public key from the equipment initial attribution information head message obtained through analysis, calculates a hash message authentication code of the equipment initial attribution information head message obtained through analysis by utilizing the manufacturing station public key obtained through analysis, compares the hash message authentication code obtained through analysis with the hash message authentication code obtained through calculation, executes step SA5-3 if the hash message authentication code obtained through analysis is consistent, verifies that the first attribution information of the expanded equipment is illegal if the hash message authentication code obtained through calculation is inconsistent, and ends.
Step SA5-3: the owner side obtains a first hash value from the initial attribution information header message of the equipment obtained through analysis, carries out hash operation on the equipment certificate obtained through analysis to obtain a fourth hash value, compares the obtained first hash value with the fourth hash value obtained through operation, executes step SA5-4 if the obtained first hash value is consistent with the fourth hash value obtained through operation, and verifies that the first attribution information of the expanded equipment is illegal if the obtained first hash value is inconsistent with the fourth hash value, and ends.
Step SA5-4: and the owner side verifies the first signature result obtained by analysis by utilizing the public key of the manufacturing station obtained by analysis, if the verification is passed, the step SA5-5 is executed, and if the verification is not passed, the first attribution information of the expanded equipment is illegal, and the process is finished.
Step SA5-5: the owner side obtains the equipment description information and the equipment identifier from the equipment initial attribution information header message obtained through analysis, carries out hash operation on the equipment description information and the equipment identifier obtained through analysis to obtain a fifth hash value, compares the third hash value obtained through analysis with the fifth hash value obtained through operation, executes step SA5-6 if the third hash value is consistent with the fifth hash value obtained through operation, verifies that the first attribution information of the expanded equipment is illegal if the third hash value is inconsistent with the fifth hash value obtained through operation, and ends.
Step SA5-6: and comparing the owner public key obtained through analysis with the public key stored in the owner terminal, if the owner public key is consistent with the public key, executing the step SA5-7, and if the owner public key is inconsistent with the public key, verifying that the first attribution information of the expanded equipment is illegal, and ending.
Step SA5-7: the owner side carries out hash operation on the device initial attribution information head message obtained through analysis and the hash information authentication code to obtain a sixth hash value, compares the second hash value obtained through analysis with the sixth hash value obtained through operation, verifies that the device first attribution information is legal if the second hash value is consistent with the sixth hash value obtained through operation, stores the expanded device first attribution information, verifies that the expanded device first attribution information is illegal if the second hash value is inconsistent with the sixth hash value obtained through operation, and ends.
Step SA6: and the owner side searches the corresponding client public key from the internal storage according to the order, encrypts the client public key by using the application key to obtain a attribution information expansion request ciphertext, and sends the attribution information expansion request ciphertext to the service side.
Step SA7: the service end decrypts the attribution information expansion request ciphertext by using the internally stored application key, and sends the client public key obtained by decryption to the manufacturing station.
Step SA8: the manufacturing station carries out hash operation on the initial attribution information header message of the equipment and the hash information authentication code to obtain a second hash value, carries out hash operation on the equipment identifier and the equipment description information to obtain a third hash value, signs the second hash value, the third hash value and the client public key by using the private key of the manufacturing station to obtain a second signature result, generates expanded equipment second attribution information according to the stored equipment first attribution information, the client public key, the second hash value, the third hash value and the second signature result, and sends the expanded equipment second attribution information to the client.
One device corresponds to one device attribution information, and the certificate can be continuously added according to the transfer of the relationship of the devices. The embodiment of the application corresponds to the situation that the client terminal downloads a single device. In other embodiments, the client may also order a plurality of devices, when the plurality of devices are ordered, the manufacturing station correspondingly generates a plurality of extended device second attribution information and sends the second attribution information to the client (the manufacturing station may determine the corresponding device attribution information according to the serial number of each device and extend the corresponding device attribution information).
In a possible embodiment, there is also a case that the owner loses the key after step SA5, when the key is lost, the following steps are performed:
step SB1: the owner terminal regenerates a new public and private key pair of the owner by using a first preset algorithm, stores the new public and private key pair, assembles a credential damage request according to the expanded first attribution information of the equipment, the application identifier and the new public key of the owner, encrypts the credential damage request by using the application key, and sends the encrypted credential damage request to the service terminal.
The new owner public key is for example:
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALFdBCHzc88aTZsenekRo//Se4wyaPpP
r3F3zbVl5ebrZ6SN4/hugPJmMa4gEUGo+c0n9tO8vl7T4jBB3u0ZlEUCAwEAAQ==
-----END PUBLIC KEY-----
the assembled credential corruption request is, for example:
{
"appkey":"4E9CD1672503C32B6162",
"method":"voucherDamage",
"pubkey":"MFwwDQYJKoZIhvcNAQEB
BQADSwAwSAJBALFdBCHzc88aTZsenekRo//Se4wyaPpPr3F3zbVl5ebrZ6SN4/hugPJmMa4gEUGo+c0n9tO8vl7T4jBB3u0ZlEUCAwEAAQ==
"
}
step SB2: the service end decrypts the encrypted certificate damage request by using the internally stored application key to obtain an application identifier and a new owner public key, updates the public key which is internally stored and corresponds to the application identifier according to the new owner public key, and sends a certificate regeneration request to the manufacturing station according to the expanded first attribution information of the equipment and the new owner public key.
The assembled credential regeneration request is, for example:
{
"appkey":"4E9CD1672503C32B6162",
"method":"voucherDamage",
"pubkey":"MFwwDQYJKoZIhvcNAQEB
BQADSwAwSAJBALFdBCHzc88aTZsenekRo//Se4wyaPpPr3F3zbVl5ebrZ6SN4/hugPJmMa4gEUGo+c0n9tO8vl7T4jBB3u0ZlEUCAwEAAQ==",
"voucher": {
"certChain": {
"chain": [{
"basicConstraints": -1,
"elements": ["x509.info", "x509.algorithm", "x509.signature", "x509.signed_cert"],
"encoded": "MIIBHTCBxKADAgECAggy/gmfiLFF0DAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAlGZG9FbnRpdHkwIBcNMjIwNzI4MDEzNDMxWhgPMjA1MjAyMjEwMTM0MzFaMBQxEjAQBgNVBAMMCUZkb0VudGl0eTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEa71ejdOBFuXSQMUbI0TiZ+jts9YSI5bQi87GOHx+HHUzdRYcke7yZR9BZuZcLdX2Fab7vdJaJLUnBbHUDrhIowCgYIKoZIzj0EAwIDSAAwRQIhAL4EDFUFv1JMoNZBQpz4LZs8qUktLg82dQjsTJl0lE2MAiBb+fQD7vv3QQI7VBz3ioa8Hz/m3jyUy6P3S7XKHHnktA==",
"encodedInternal": "MIIBHTCBxKADAgECAggy/gmfiLFF0DAKBggqhkjOPQQDAjAUMRIwEAYDVQQDDAlGZG9FbnRpdHkwIBcNMjIwNzI4MDEzNDMxWhgPMjA1MjAyMjEwMTM0MzFaMBQxEjAQBgNVBAMMCUZkb0VudGl0eTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEa71ejdOBFuXSQMUbI0TiZ+jts9YSI5bQi87GOHx+HHUzdRYcke7yZR9BZuZcLdX2Fab7vdJaJLUnBbHUDrhIowCgYIKoZIzj0EAwIDSAAwRQIhAL4EDFUFv1JMoNZBQpz4LZs8qUktLg82dQjsTJl0lE2MAiBb+fQD7vv3QQI7VBz3ioa8Hz/m3jyUy6P3S7XKHHnktA==",
......
"entries": [{
"payload": {
"hashprevEntry": "+08zSk0gtLKXttWLCEjMGtV+2bPRYm+n51mc1bKQUPc=",
"hashHdrInfo": "//SO7ZCWUnOc1O+K9HzpwCGrcpYOtKkb4tjwr0IA3dE=",
"pubkey": "BFuXSQMUbI0TiZ+jts9YSI5bQi87GOHx+HHUzdRYcke7yZR9BZuZcLdX2Fab7vdJaJLUnBbHUDrhIowCgYIKoZIzj0EAwIDSAAwRQIhAL4EDFUFv1JMoNZBQpz4LZs8qUktLg82dQjsTJl0lE2MAiBb+fQD7vv3QQI7VBz3ioa8Hz/m3jyUy6P3S7XKHHnktA=="
},
"protectedHeader": "oQEm",
"signature": "ZZoiOCtdZCNRWhGMX8i+Skmp2gX3ZrmoXT5uKy7f6dAIv6DhGyuQARtGzj3mWmCAYTsLZkePrPVA7+WLx501Ng==",
"tag": "COSE_SIGN_1",
"unprotectedHeader": {}
}]
"header": "hhhlUEUJzgc4L0JEsfUGWlIdry2BhYIFSmkxMjcuMC4wLjGCA0MZH5CCDEEBggJFRH8AAAGCBEMZH5BqRGVtb0RldmljZYMKAVhbMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7EM4Qh7KSxwTLQYyZMVPvd1kxqaBHboRKVs7tUJtwaGp4MwG3omcIXEUNVxm3TTp2EX5woKX7Typw2mpzPXVD4IvWCD9yA9TyDpU3HdKF4fjUc9JNKWBxy6oS3L/sHxyal47zA==",
"hmac": {
"hashType": "HMAC_SHA256",
"hashValue": "Juczi1QtAlkrvi3JTpHFc/pqQ2V3HF+ufZdqMm/v0Vs="
},
"version": "V101"
}
}
step SB3: the manufacturing station analyzes the certificate regeneration request to obtain the expanded equipment first attribution information and a new owner public key, obtains a first signature result from the expanded equipment first attribution information, verifies the obtained first signature result by using the manufacturing station public key, cuts off the expanded equipment first attribution information and updates the owner public key stored in the manufacturing station according to the new owner public key if the verification is passed, re-executes the steps SA4 to SA5 to generate the new equipment attribution information and sends the new equipment attribution information to the owner terminal for validity verification, and ends if the verification is not passed.
The manufacturing station A produces the Internet of things equipment B, at the moment, the relationship of the Internet of things equipment B is the manufacturing station A, and the manufacturing station A generates initial attribution information of the equipment; the client C purchases the device B and orders the proxy side D, the proxy side D obtains the public key of the client C, applies for transferring the relationship of the device B to the manufacturing station A through the service side E according to the public key of the client C, the manufacturing station A expands the initial attribution information of the device into the first attribution information of the device according to the public key of the proxy side D, transfers the relationship of the device B to the proxy side D, expands the first attribution information of the device into the second attribution information of the device according to the public key of the client C, transfers the relationship of the device B to the client C, and completes the transfer of the attribution relationship.
According to the application, the equipment attribution information is generated, managed and distributed through the manufacturing station, and the mechanism can avoid a manual registration and warehousing link, so that the equipment attribution relation can be traced, and the equipment of the Internet of things can be transported and distributed more safely. By adopting the method provided by the application, the legitimacy and the safety of the Internet of things equipment can be ensured.
The following are system embodiments of the present application that may be used to perform method embodiments of the present application. For details not disclosed in the system embodiments of the present application, please refer to the method embodiments of the present application.
The equipment initial attribution information generation system in the embodiment of the application comprises an Internet of things equipment and a manufacturing station, wherein the Internet of things equipment comprises a request generation module and a response module, and the manufacturing station comprises a certificate generation module, an information head organization module and an attribution information generation module, wherein:
the request generation module is used for acquiring a token from the manufacturing station, assembling the token, manufacturing station information, CSR data, equipment description information, equipment serial numbers and equipment public key information acquired from internal storage, generating a credential request core message, encrypting the credential request core message by using an equipment private key to obtain a credential generation request, and sending the credential generation request to the manufacturing station, wherein the equipment public key information comprises a public key type and a public key code;
the certificate generation module is used for decrypting the certificate generation request by utilizing a prestored device public key to obtain the CSR data, the device description information, the device public key information and the token, verifying the token, judging whether a device certificate corresponding to the Internet of things device exists in the device or not if the device certificate is successful in verification, generating a device certificate corresponding to the Internet of things device according to the decrypted CSR data if the device certificate does not exist in the device certificate, correspondingly storing the device certificate and the device description information, triggering the information head organization module, and ending if the verification fails;
The information head organization module is used for acquiring a prestored manufacturing station public key, equipment identification and server information, carrying out hash operation on the equipment certificate to obtain a first hash value, and carrying out encoding processing on the equipment initial attribution information head message according to an onboard protocol version, the first hash value, the manufacturing station public key, the equipment description information obtained by decryption, the equipment identification and the server information assembly equipment initial attribution information head message to obtain a first encoding result, and returning the first encoding result to the Internet of things equipment, wherein the server information is information of an authentication center server and is used for an Internet of things equipment registration stage;
the response module is used for decoding the received first coding result to obtain the equipment initial attribution information head message, calculating a hash information authentication code of the equipment initial attribution information head message, assembling a credential setting response message based on the hash information authentication code and the token, and sending the credential setting response message to the manufacturing station;
the attribution information generating module is used for analyzing the certificate setting response message to obtain the hash information authentication code and the token, verifying the token, generating item information if verification is successful, assembling and storing the initial attribution information of the equipment according to the on-board protocol version, the initial attribution information header message of the equipment, the hash information authentication code, the equipment certificate and the item information, and ending if verification fails.
In an optional embodiment, the system further includes a service end and an owner end, the service end includes an application information generating module, and the owner end includes a storage module, where:
the application information generation module is used for receiving an application request sent by the owner side, creating an application, generating application information and transmitting the application information to the owner side, wherein the application information comprises an application identifier and an application key;
the storage module is used for storing the application information;
the owner side further comprises an order information generation module for:
generating and storing an owner public and private key pair by using a first preset algorithm, generating order information according to an order, a stored application identifier and the owner public key, encrypting the order information by using the application key, and transmitting the encrypted order information to the service end;
the service end also comprises a ordering information generation module for:
decrypting the encrypted order information by using an internally stored application key, obtaining the application identifier and the owner public key, correspondingly storing the application identifier and the owner public key, generating order placing information based on the order information, and sending the order placing information to the manufacturing station;
The manufacturing station further comprises an owner public key acquisition module for:
analyzing the order information to obtain the owner public key and storing the owner public key;
the manufacturing station further comprises a home information extension module for:
performing hash operation on the initial attribution information header message of the equipment and the hash information authentication code to obtain a second hash value, performing hash operation on the equipment identifier and the equipment description information to obtain a third hash value, signing the second hash value, the third hash value and the owner public key by using a private key of a manufacturing station to obtain a first signature result, generating expanded equipment first attribution information according to the stored equipment initial attribution information, the owner public key, the second hash value, the third hash value and the first signature result, and transmitting the expanded equipment first attribution information to the owner terminal;
the owner side further comprises a home information verification module for:
and carrying out validity verification on the expanded first attribution information of the equipment, if the verification is legal, storing the expanded first attribution information of the equipment, and if the verification is illegal, ending.
In an optional embodiment, the home information verification module specifically includes:
the analysis unit is used for analyzing the expanded first attribution information of the equipment to obtain an initial attribution information header message of the equipment, a hash information authentication code, an equipment certificate, an owner public key, a second hash value, a third hash value and a first signature result;
the first comparison unit is used for acquiring a manufacturing station public key from the equipment initial attribution information head message obtained by analysis, calculating a hash message authentication code of the equipment initial attribution information head message obtained by analysis by utilizing the manufacturing station public key obtained by analysis, comparing the hash message authentication code obtained by analysis with the hash message authentication code obtained by calculation, triggering the second comparison unit if the hash message authentication code is consistent with the hash message authentication code obtained by calculation, and verifying that the expanded equipment first attribution information is illegal and ending if the hash message authentication code is inconsistent with the hash message authentication code obtained by analysis;
the second comparison unit is used for acquiring a first hash value from the equipment initial attribution information header message obtained through analysis, carrying out hash operation on the equipment certificate obtained through analysis to acquire a fourth hash value, comparing the acquired first hash value with the fourth hash value obtained through operation, executing step SA5-4 if the acquired first hash value is consistent with the fourth hash value obtained through operation, and verifying that the expanded equipment first attribution information is illegal if the acquired first hash value is inconsistent with the fourth hash value, and ending;
The signature verification unit is used for verifying the first signature result obtained by analysis by utilizing the public key of the manufacturing station obtained by analysis, triggering a third comparison unit if the verification is passed, and ending if the verification is not passed, the expanded first attribution information of the equipment is illegal;
the third comparison unit is used for acquiring the equipment description information and the equipment identifier from the equipment initial attribution information header message obtained through analysis, carrying out hash operation on the equipment description information and the equipment identifier obtained through analysis to obtain a fifth hash value, comparing the third hash value obtained through analysis with the fifth hash value obtained through operation, triggering the fourth comparison unit if the third hash value is consistent with the fifth hash value obtained through operation, and verifying that the expanded equipment first attribution information is illegal and ending if the third hash value is inconsistent with the fifth hash value obtained through operation;
a fourth comparing unit, configured to compare the owner public key obtained by analysis with the public key stored in the device, if the owner public key is consistent with the public key, trigger the fifth comparing unit, and if the owner public key is inconsistent with the public key, verify that the first attribution information of the device after expansion is illegal, and end the process;
and a fifth comparison unit, configured to perform hash operation on the device initial attribution information header message obtained by parsing and the hash message authentication code to obtain a sixth hash value, compare the second hash value obtained by parsing with the sixth hash value obtained by operation, verify that the device initial attribution information is legal, store the expanded device first attribution information if the device initial attribution information is consistent with the sixth hash value obtained by operation, and verify that the expanded device first attribution information is illegal and end if the device initial attribution information is inconsistent with the sixth hash value.
In an optional embodiment, the home information extension module is further configured to:
searching a corresponding client public key from internal storage according to the order, encrypting the client public key by using the application key to obtain a attribution information expansion request ciphertext, and sending the attribution information expansion request ciphertext to the service end;
decrypting the attribution information expansion request ciphertext by using an internally stored application key, and transmitting a client public key obtained by decryption to the manufacturing station;
performing hash operation on the initial attribution information header message of the equipment and the hash information authentication code to obtain a second hash value, performing hash operation on the equipment identifier and the equipment description information to obtain a third hash value, signing the second hash value, the third hash value and the client public key by using the private key of the manufacturing station to obtain a second signature result, generating expanded equipment second attribution information according to the stored equipment first attribution information, the client public key, the second hash value, the third hash value and the second signature result, and issuing the expanded equipment second attribution information to the client.
In an alternative embodiment, the owner side further includes:
the damage request generation module is used for regenerating a new owner public and private key pair by utilizing the first preset algorithm, storing the new owner public and private key pair, assembling a credential damage request according to the first attribution information of the expanded equipment, the application identifier and the new owner public key, encrypting the credential damage request by utilizing the application key, and sending the encrypted credential damage request to the service end;
the service end further comprises:
the public key updating module is used for decrypting the encrypted certificate damage request by utilizing an internally stored application key to obtain the application identifier and the new owner public key, updating the public key which is stored in the machine and corresponds to the application identifier according to the new owner public key, and sending a certificate regeneration request to the manufacturing station according to the first attribution information of the expanded equipment and the new owner public key;
the manufacturing station further comprises:
and the attribution information regeneration module is used for analyzing the certificate regeneration request to obtain the expanded equipment first attribution information and the new owner public key, obtaining a first signature result from the expanded equipment first attribution information, verifying the obtained first signature result by using the public key of the manufacturing station, intercepting the expanded equipment first attribution information and updating the owner public key stored in the machine according to the new owner public key if the verification is passed, and re-triggering the response module and the attribution information generation module to generate new equipment attribution information and issuing the new equipment attribution information to the owner terminal for validity verification, and ending if the verification is not passed.
In an optional embodiment, the internet of things device further includes:
the information processing module is used for generating domain name information and acquiring the position information of the equipment;
and the CSR data generation module is used for generating and storing CSR data according to the domain name information, the position information and a second preset algorithm.
In an optional embodiment, the internet of things device further includes a token request module configured to:
generating a token acquisition request according to the internally stored equipment identifier and the equipment public key, performing coding processing on the token acquisition request to obtain a second coding result, and transmitting the second coding result to the manufacturing station;
the manufacturing station further comprises:
the token generation module is used for decoding the second coding result to obtain the token acquisition request, generating a token according to the token acquisition request, assembling a token response message, and returning the token response message to the Internet of things equipment;
the internet of things device further comprises a token saving module for:
and analyzing the token response message to obtain the token and storing the token.
In an optional embodiment, the internet of things device further includes a key generation module configured to:
and inquiring whether a device key pair is stored in the device, if not, generating the device key pair by using a first preset algorithm, and storing the device key pair, wherein the device key pair comprises a device public key and a device private key.
It should be noted that, when the device initial attribution information generating system provided in the above embodiment executes the device initial attribution information generating method, only the division of the above functional modules is used for illustration, in practical application, the above functional allocation may be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the system for generating the initial home information of the device and the method for generating the initial home information of the device provided in the foregoing embodiments belong to the same concept, which embody detailed implementation procedures and are not described herein again.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
According to the application, the equipment attribution information is generated, managed and distributed through the manufacturing station, and the mechanism can avoid a manual registration and warehousing link, so that the equipment attribution relation can be traced, and the equipment of the Internet of things can be transported and distributed more safely. By adopting the method provided by the application, the legitimacy and the safety of the Internet of things equipment can be ensured.
The present application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method of any of the previous embodiments. The computer readable storage medium may include, among other things, any type of disk including floppy disks, optical disks, DVDs, CD-ROMs, micro-drives, and magneto-optical disks, ROM, RAM, EPROM, EEPROM, DRAM, VRAM, flash memory devices, magnetic or optical cards, nanodevices (including molecular memory ICs), or any type of media or device suitable for storing instructions and/or data.
The embodiment of the application also provides the Internet of things equipment, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the steps of the method of any embodiment when executing the program.
The embodiment of the application provides an Internet of things device, which comprises: a processor and a memory.
In the embodiment of the application, the processor is a control center of the computer device, and can be a processor of a physical machine or a processor of a virtual machine. The processor may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor may be implemented in at least one hardware form of DSP (Digital Signal Processing ), FPGA (Field-Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array ). The processor may also include a main processor, which is a processor for processing data in an awake state, also called a CPU (Central Processing Unit ), and a coprocessor; a coprocessor is a low-power processor for processing data in a standby state.
The memory may include one or more computer-readable storage media, which may be non-transitory. The memory may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments of the application, a non-transitory computer readable storage medium in memory is used to store at least one instruction for execution by a processor to implement the method in embodiments of the application.
In some embodiments, the internet of things device further includes: a peripheral interface and at least one peripheral. The processor, memory, and peripheral interfaces may be connected by buses or signal lines. The individual peripheral devices may be connected to the peripheral device interface via buses, signal lines or circuit boards. Specifically, the peripheral device includes: at least one of a display screen, a camera and an audio circuit.
The peripheral interface may be used to connect at least one Input/Output (I/O) related peripheral to the processor and the memory. In some embodiments of the application, the processor, memory, and peripheral interfaces are integrated on the same chip or circuit board; in some other embodiments of the application, either or both of the processor, memory, and peripheral interfaces may be implemented on separate chips or circuit boards. The embodiment of the present application is not particularly limited thereto.
The display screen is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display is a touch display, the display also has the ability to collect touch signals at or above the surface of the display. The touch signal may be input to the processor for processing as a control signal. At this time, the display screen may also be used to provide virtual buttons and/or virtual keyboards, also referred to as soft buttons and/or soft keyboards. In some embodiments of the present application, the display screen may be one, and is disposed on a front panel of the internet of things device; in other embodiments of the present application, the number of display screens may be at least two, and the display screens are respectively disposed on different surfaces of the internet of things device; in still other embodiments of the present application, the display may be a flexible display disposed on a curved surface of the internet of things device. Even more, the display screen may be arranged in a non-rectangular irregular pattern, i.e. a shaped screen. The display screen may be made of LCD (Liquid Crystal Display ), OLED (Organic Light-Emitting Diode) or other materials.
The audio circuit may include a microphone and a speaker. The microphone is used for collecting sound waves of users and the environment, converting the sound waves into electric signals and inputting the electric signals to the processor for processing. For the purpose of stereo acquisition or noise reduction, a plurality of microphones can be arranged at different positions of the Internet of things equipment respectively. The microphone may also be an array microphone or an omni-directional pickup microphone.
The power supply is used for supplying power to each component in the Internet of things equipment. The power source may be alternating current, direct current, disposable or rechargeable. When the power source comprises a rechargeable battery, the rechargeable battery may be a wired rechargeable battery or a wireless rechargeable battery. The wired rechargeable battery is a battery charged through a wired line, and the wireless rechargeable battery is a battery charged through a wireless coil. The rechargeable battery may also be used to support fast charge technology.
The client structural block diagrams shown in the embodiments of the present application do not limit the internet of things device, and the internet of things device may include more or fewer components than shown, or may combine some components, or may employ different component arrangements.
In the present disclosure, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or order; the term "plurality" means two or more, unless expressly defined otherwise. The terms "mounted," "connected," "secured," and the like are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; "coupled" may be directly coupled or indirectly coupled through intermediaries. The specific meaning of the above terms in the present application can be understood by those of ordinary skill in the art according to the specific circumstances.
In the description of the present application, it should be understood that the directions or positional relationships indicated by the terms "upper", "lower", etc. are based on the directions or positional relationships shown in the drawings, are merely for convenience of description and simplification of the description, and do not indicate or imply that the apparatus or unit referred to must have a specific direction, be constructed and operated in a specific direction, and therefore, should not be construed as limiting the present application.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Accordingly, equivalent variations from the claims of the present application are intended to be covered by the present application.
Claims (11)
1. The equipment attribution information generation method is characterized by being applied to a system formed by equipment of the Internet of things and a manufacturing station, and comprising the following steps of:
step S1: the internet of things device acquires a token from the manufacturing station, assembles the token, manufacturing station information, CSR data, device description information, a device serial number and device public key information acquired from internal storage, generates a credential request core message, encrypts the credential request core message by using a device private key to acquire a credential generation request, and sends the credential generation request to the manufacturing station, wherein the device public key information comprises a public key type and a public key code;
Step S2: the manufacturing station decrypts the credential generation request by using a prestored device public key to obtain the CSR data, the device description information, the device public key information and the token, verifies the token, judges whether a device certificate corresponding to the Internet of things device exists in the manufacturing station if the verification is successful, generates the device certificate corresponding to the Internet of things device according to the decrypted CSR data if the device certificate does not exist, stores the device certificate and the device description information correspondingly, and executes step S3, and if the verification fails, ends;
step S3: the manufacturing station acquires a pre-stored manufacturing station public key, a device identifier and server information, performs hash operation on the device certificate to acquire a first hash value, and performs coding processing on the initial equipment attribution information head message according to an on-board protocol version, the first hash value, the manufacturing station public key, the device description information acquired by decryption, the device identifier and the initial equipment attribution information head message of the server information assembly device to acquire a first coding result, and returns the first coding result to the Internet of things device, wherein the server information is information of an authentication center server and is used for an Internet of things device registration stage;
Step S4: the internet of things device decodes the received first coding result to obtain the initial home information header message of the device, calculates a hash information authentication code of the initial home information header message of the device, assembles a credential setting response message based on the hash information authentication code and the token, and sends the credential setting response message to the manufacturing station;
step S5: the manufacturing station analyzes the certificate setting response message to obtain the hash message authentication code and the token, verifies the token, generates item information if verification is successful, assembles and stores the initial item information according to the on-board protocol version, the initial equipment attribution information header message, the hash message authentication code, the equipment certificate and the item information, and ends if verification fails.
2. The method according to claim 1, wherein the system further comprises a service side and an owner side, and before the step S1, further comprises:
step Y1: the service end receives an application request sent by the owner end, creates an application, generates application information, and sends the application information to the owner end, wherein the application information comprises an application identifier and an application key;
Step Y2: the owner end stores the application information;
after the step S5, the method further includes:
step SA1: the owner side generates and stores an owner public and private key pair by using a first preset algorithm, generates order information according to an order, a stored application identifier and the owner public key, encrypts the order information by using the application key, and sends the encrypted order information to the service side;
step SA2: the service end decrypts the encrypted order information by utilizing an internally stored application key, obtains the application identifier and the owner public key, correspondingly stores the application identifier and the owner public key, generates order placing information based on the order information and sends the order placing information to the manufacturing station;
step SA3: the manufacturing station analyzes the ordering information to obtain the public key of the owner and stores the public key;
step SA4: the manufacturing station carries out hash operation on the initial attribution information header message of the equipment and the hash information authentication code to obtain a second hash value, carries out hash operation on the equipment identifier and the equipment description information to obtain a third hash value, signs the second hash value, the third hash value and the owner public key by using a private key of the manufacturing station to obtain a first signature result, and generates expanded equipment first attribution information according to the stored equipment initial attribution information, the stored owner public key, the stored second hash value, the stored third hash value and the stored first signature result, and sends the expanded equipment first attribution information to the owner terminal;
Step SA5: and the owner end performs validity verification on the first attribution information of the expanded equipment, if the verification is legal, the first attribution information of the expanded equipment is stored, and if the verification is illegal, the operation is finished.
3. The method according to claim 2, wherein the step SA5 comprises:
step SA5-1: the owner end analyzes the expanded first attribution information of the equipment to obtain an initial attribution information header message, a hash information authentication code, an equipment certificate, an owner public key, a second hash value, a third hash value and a first signature result;
step SA5-2: the owner side obtains a manufacturing station public key from the equipment initial attribution information head message obtained through analysis, calculates a hash message authentication code of the equipment initial attribution information head message obtained through analysis by utilizing the manufacturing station public key obtained through analysis, compares the hash message authentication code obtained through analysis with the hash message authentication code obtained through calculation, executes step SA5-3 if the hash message authentication code obtained through analysis is consistent, verifies that the expanded equipment first attribution information is illegal if the hash message authentication code obtained through calculation is inconsistent, and ends;
step SA5-3: the owner side obtains a first hash value from the equipment initial attribution information header message obtained through analysis, carries out hash operation on the equipment certificate obtained through analysis to obtain a fourth hash value, compares the obtained first hash value with the fourth hash value obtained through operation, if the obtained first hash value is consistent with the fourth hash value obtained through operation, executes step SA5-4, if the obtained first hash value is inconsistent with the fourth hash value, verifies that the expanded equipment first attribution information is illegal, and ends;
Step SA5-4: the owner side verifies the first signature result obtained through analysis by utilizing the public key of the manufacturing station obtained through analysis, if the verification is passed, step SA5-5 is executed, and if the verification is not passed, the first attribution information of the expanded equipment is illegal, and the process is finished;
step SA5-5: the owner side obtains equipment description information and equipment identification from the equipment initial attribution information header message obtained through analysis, carries out hash operation on the equipment description information and the equipment identification obtained through analysis to obtain a fifth hash value, compares the third hash value obtained through analysis with the fifth hash value obtained through operation, executes step SA5-6 if the third hash value is consistent with the fifth hash value obtained through operation, verifies that the expanded equipment first attribution information is illegal if the third hash value is inconsistent with the fifth hash value obtained through operation, and ends;
step SA5-6: comparing the owner public key obtained through analysis with the public key stored in the owner terminal, if the owner public key is consistent with the public key, executing the step SA5-7, if the owner terminal is inconsistent with the public key, verifying that the first attribution information of the expanded equipment is illegal, and ending;
step SA5-7: the owner side carries out hash operation on the device initial attribution information head message obtained through analysis and the hash information authentication code to obtain a sixth hash value, compares the second hash value obtained through analysis with the sixth hash value obtained through operation, verifies legal if the second hash value is consistent with the sixth hash value obtained through operation, stores the expanded device first attribution information, verifies that the expanded device first attribution information is illegal if the second hash value is inconsistent with the sixth hash value, and ends.
4. The method according to claim 2, wherein the system further comprises a client, and after step SA5, further comprising:
step SA6: the owner side searches a corresponding client public key from the internal storage according to the order, encrypts the client public key by using the application key to obtain a attribution information expansion request ciphertext, and sends the attribution information expansion request ciphertext to the service side;
step SA7: the service end decrypts the attribution information expansion request ciphertext by using an internally stored application key, and sends a client public key obtained by decryption to the manufacturing station;
step SA8: the manufacturing station carries out hash operation on the initial attribution information header message of the equipment and the hash information authentication code to obtain a second hash value, carries out hash operation on the equipment identifier and the equipment description information to obtain a third hash value, signs the second hash value, the third hash value and the client public key by using the private key of the manufacturing station to obtain a second signature result, and generates expanded equipment second attribution information according to the stored equipment first attribution information, the client public key, the second hash value, the third hash value and the second signature result, and sends the expanded equipment second attribution information to the client.
5. The method according to claim 2, further comprising, after step SA5, when the owner side key is lost, performing:
step SB1: the owner terminal regenerates a new owner public and private key pair by using the first preset algorithm, stores the new owner public and private key pair, assembles a credential damage request according to the first attribution information of the expanded equipment, the application identifier and the new owner public key, encrypts the credential damage request by using the application key, and sends the encrypted credential damage request to the service terminal;
step SB2: the service end decrypts the encrypted certificate damage request by utilizing an internally stored application key to obtain the application identifier and the new owner public key, updates a public key which is stored in the service end and corresponds to the application identifier according to the new owner public key, and sends a certificate regeneration request to the manufacturing station according to the expanded first attribution information of the equipment and the new owner public key;
step SB3: the manufacturing station analyzes the certificate regeneration request to obtain the expanded equipment first attribution information and the new owner public key, obtains a first signature result from the expanded equipment first attribution information, verifies the obtained first signature result by using the manufacturing station public key, cuts off the expanded equipment first attribution information and updates the owner public key stored in the manufacturing station according to the new owner public key if the verification is passed, re-executes the steps SA4 to SA5 to generate new equipment attribution information and sends the new equipment attribution information to the owner terminal for validity verification, and ends if the verification is not passed.
6. The method according to claim 1, further comprising, prior to step S1:
step A1: the Internet of things equipment generates domain name information and acquires the position information of the equipment;
step A2: and the internet of things equipment generates CSR data according to the domain name information, the position information and a second preset algorithm and stores the CSR data.
7. The method according to claim 1, further comprising, prior to step S1:
step S1-1: the internet of things device generates a token acquisition request according to the internally stored device identifier and the device public key, performs coding processing on the token acquisition request to obtain a second coding result, and sends the second coding result to the manufacturing station;
step S1-2: the manufacturing station decodes the second coding result to obtain the token acquisition request, generates a token according to the token acquisition request, assembles a token response message, and returns the token response message to the Internet of things equipment;
step S1-3: and the Internet of things equipment analyzes the token response message to obtain the token and stores the token.
8. The method according to claim 7, further comprising, prior to step S1-1:
And the Internet of things equipment inquires whether an equipment key pair is stored in the Internet of things equipment, if not, the equipment key pair is generated and stored by using a first preset algorithm, and the equipment key pair comprises an equipment public key and an equipment private key.
9. The equipment attribution information generation system is characterized by comprising an Internet of things device and a manufacturing station, wherein the Internet of things device comprises a request generation module and a response module, and the manufacturing station comprises a certificate generation module, an information head organization module and an attribution information generation module, wherein:
the request generation module is used for acquiring a token from the manufacturing station, assembling the token, manufacturing station information, CSR data, equipment description information, equipment serial numbers and equipment public key information acquired from internal storage, generating a credential request core message, encrypting the credential request core message by using an equipment private key to obtain a credential generation request, and sending the credential generation request to the manufacturing station, wherein the equipment public key information comprises a public key type and a public key code;
the certificate generation module is used for decrypting the certificate generation request by utilizing a prestored device public key to obtain the CSR data, the device description information, the device public key information and the token, verifying the token, judging whether a device certificate corresponding to the Internet of things device exists in the device or not if the device certificate is successful in verification, generating a device certificate corresponding to the Internet of things device according to the decrypted CSR data if the device certificate does not exist in the device certificate, correspondingly storing the device certificate and the device description information, triggering the information head organization module, and ending if the verification fails;
The information head organization module is used for acquiring a prestored manufacturing station public key, equipment identification and server information, carrying out hash operation on the equipment certificate to obtain a first hash value, and carrying out encoding processing on the equipment initial attribution information head message according to an onboard protocol version, the first hash value, the manufacturing station public key, the equipment description information obtained by decryption, the equipment identification and the server information assembly equipment initial attribution information head message to obtain a first encoding result, and returning the first encoding result to the Internet of things equipment, wherein the server information is information of an authentication center server and is used for an Internet of things equipment registration stage;
the response module is used for decoding the received first coding result to obtain the equipment initial attribution information head message, calculating a hash information authentication code of the equipment initial attribution information head message, assembling a credential setting response message based on the hash information authentication code and the token, and sending the credential setting response message to the manufacturing station;
the attribution information generating module is used for analyzing the certificate setting response message to obtain the hash information authentication code and the token, verifying the token, generating item information if verification is successful, assembling and storing the initial attribution information of the equipment according to the on-board protocol version, the initial attribution information header message of the equipment, the hash information authentication code, the equipment certificate and the item information, and ending if verification fails.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the steps of the method according to any of the claims 1-8.
11. An internet of things device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of any of claims 1-8 when the program is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310840846.5A CN116566625B (en) | 2023-07-11 | 2023-07-11 | Equipment attribution information generation method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310840846.5A CN116566625B (en) | 2023-07-11 | 2023-07-11 | Equipment attribution information generation method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116566625A CN116566625A (en) | 2023-08-08 |
| CN116566625B true CN116566625B (en) | 2023-09-19 |
Family
ID=87486573
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310840846.5A Active CN116566625B (en) | 2023-07-11 | 2023-07-11 | Equipment attribution information generation method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116566625B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108632231A (en) * | 2017-03-24 | 2018-10-09 | 中移(杭州)信息技术有限公司 | A kind of internet of things equipment, Internet of Things authentication platform, authentication method and system |
| CN111182521A (en) * | 2018-11-12 | 2020-05-19 | 中移(杭州)信息技术有限公司 | Internet of things terminal machine card binding, network access authentication and service authentication method and device |
| CN111740846A (en) * | 2020-08-04 | 2020-10-02 | 飞天诚信科技股份有限公司 | Method and system for realizing smart card information reading of mobile terminal |
| CN112564897A (en) * | 2020-11-30 | 2021-03-26 | 上海万向区块链股份公司 | Internet of things equipment key distribution and identity authentication management method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR102381038B1 (en) * | 2020-05-28 | 2022-03-30 | 고려대학교 산학협력단 | Techniques for secure authentication of the controlled devices |
-
2023
- 2023-07-11 CN CN202310840846.5A patent/CN116566625B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108632231A (en) * | 2017-03-24 | 2018-10-09 | 中移(杭州)信息技术有限公司 | A kind of internet of things equipment, Internet of Things authentication platform, authentication method and system |
| CN111182521A (en) * | 2018-11-12 | 2020-05-19 | 中移(杭州)信息技术有限公司 | Internet of things terminal machine card binding, network access authentication and service authentication method and device |
| CN111740846A (en) * | 2020-08-04 | 2020-10-02 | 飞天诚信科技股份有限公司 | Method and system for realizing smart card information reading of mobile terminal |
| CN112564897A (en) * | 2020-11-30 | 2021-03-26 | 上海万向区块链股份公司 | Internet of things equipment key distribution and identity authentication management method and system |
Non-Patent Citations (1)
| Title |
|---|
| 一种无线传感器网络用户认证与密钥协商协议;闫丽丽;张仕斌;昌燕;;小型微型计算机系统(第10期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116566625A (en) | 2023-08-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11683187B2 (en) | User authentication with self-signed certificate and identity verification and migration | |
| ES2836114T3 (en) | Information sending method, information reception method, device and system | |
| CN109600223B (en) | Verification method, activation method, device, equipment and storage medium | |
| US10708062B2 (en) | In-vehicle information communication system and authentication method | |
| CN102510333B (en) | Authorization method and system | |
| US20100042848A1 (en) | Personalized I/O Device as Trusted Data Source | |
| CN101527633B (en) | Method for intelligent key devices to obtain digital certificates | |
| JP5136012B2 (en) | Data sending method | |
| CN107925570B (en) | Safely to activate or cancel the computing device of key | |
| JP2018527842A5 (en) | ||
| CN102177678B (en) | Trusted and confidential remote TPM initialization | |
| JP5380583B1 (en) | Device authentication method and system | |
| JP6372809B2 (en) | Authentication system, authentication method, and authentication apparatus | |
| WO2017150270A1 (en) | Communication system, hardware security module, terminal device, communication method, and program | |
| CN104412273A (en) | Method and system for activation | |
| WO2012072001A1 (en) | Safe method for card issuing, card issuing device and system | |
| JP6264626B2 (en) | Certificate issuing system, communication method and management apparatus | |
| CN102065092B (en) | Method and system for authorizing digital signature of application program of set top box | |
| JP4823704B2 (en) | Authentication system, authentication information delegation method and security device in the same system | |
| CN113536329A (en) | Electronic device for cryptographic communication and cryptographic communication system | |
| CN111510448A (en) | Communication encryption method, device and system in OTA (over the air) upgrade of automobile | |
| KR101836211B1 (en) | Electronic device authentication manager device | |
| CN116566625B (en) | Equipment attribution information generation method and system | |
| CN116015900A (en) | Data self-storage self-verification method, device, equipment and storage medium | |
| CN114448649A (en) | Data circulation method, system, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |