KR101873991B1 - Method of delegating access right between IoT devices - Google Patents
Method of delegating access right between IoT devices Download PDFInfo
- Publication number
- KR101873991B1 KR101873991B1 KR1020170050316A KR20170050316A KR101873991B1 KR 101873991 B1 KR101873991 B1 KR 101873991B1 KR 1020170050316 A KR1020170050316 A KR 1020170050316A KR 20170050316 A KR20170050316 A KR 20170050316A KR 101873991 B1 KR101873991 B1 KR 101873991B1
- Authority
- KR
- South Korea
- Prior art keywords
- terminal
- token
- access
- target device
- owner
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
A method of delegating access rights between IoT devices is disclosed. The owner terminal establishes the owner's trusted ownership relationship with the target device. The owner terminal of the owner whose trusted ownership relationship with the target device has been established provides the first user terminal of the first user with access authority to access the resource of the target device. The first use subject terminal requests access to the resource of the target device based on the access right. The target device verifies the access request based on the information on the trusted ownership relationship, and determines whether or not the first use principal terminal permits access to the target device according to the verification result. The owner terminal may provide a first token chain including a first delegation token and a self signed token signed by the owner to the first use subject terminal to enable the first use subject terminal to issue an access token to another use subject terminal have. The target device verifies the access right by submitting the token payload from the terminal making a request for access to its resource, thereby granting or denying the access request.
Description
The present invention relates to an Internet of Things (IoT), and more particularly to a technology for delegating access to a target device among IoT devices.
With the advent of IoT, many of the devices we use in everyday life are controllable over the network and form part of a larger distributed system. These devices range from tiny embedded devices, wearables, large home appliances and automobiles. In such an IoT environment, devices communicate with each other and satisfy the needs of users. For example, a home-security system intercepts the perimeter of the house interacting with a security camera to protect it from intruders, and the suspicious behavior is recorded on the user's storage server.
Authorization in a distributed system is complicated to manage because resources are distributed across multiple device networks under different management domains. Moreover, it makes certification more difficult because it does not know beforehand between all devices and the subjects that they want to access.
Centralized authorization, on the other hand, handles all access control logic in the cloud or back-end server. The advantage of the central authorization model is that it allows unified management at unified windows for device resources scattered across multiple locations. However, the following main drawbacks exist. There is a possibility of privacy breach due to the risk of exposure of the personal information stored in the center. The service provider has a great deal of burden to securely manage personally identifiable information (PII). There is also a drawback that it relies on Internet connectivity. In other words, the device can not be used in a non-internet environment (eg, on an airplane) because the device must be connected to the Internet for communication. In addition, it is inconvenient to use because it is necessary to build a centralized ID management system.
The present invention is intended to provide a method for delegating an access right to an IoT device which allows a user of the third terminal to access the owner's device by passing the owner information to the third terminal.
The present invention is also intended to provide a delegation method capable of delegating access authority to an IoT device even in an offline environment that can not be connected to the Internet.
The present invention relates to a method and apparatus for allowing an access to an IoT device in an IoT environment to be performed in a peer-to-peer manner rather than a centralized control method in consideration of the dispersibility of IoT devices. To provide a method of delegating device access authority.
According to embodiments of the present invention, a method of delegating access authority between IoT devices is provided. The method comprising: a delegation step of providing an access right of an owner terminal of an owner having a trusted owning relationship to a target device to access a resource of the target device, to the first use subject terminal of the first user; An access step in which the first use-principal terminal makes an access request to the resource of the target device based on the access right; And a verification step of verifying the access request on the basis of the information on the trusted ownership relationship in the target device and determining whether to permit access to the target device of the first use subject terminal according to the verification result do.
In one embodiment of the present invention, the method may further include a step of establishing ownership in which the owner terminal establishes the owner's trusted ownership relationship with the target device, prior to the delegation step.
In one embodiment of the present invention, the ownership establishment step may include: the owner terminal authenticating to the target device, the owner key including the public key of the owner terminal, name, and proof of ownership of the target device Requesting establishment of an ownership relationship while providing information; Verifying the reliability of ownership of the target device of the owner terminal using the ownership authentication information provided by the target device; Storing a public key and a name of an owner of the target device that has passed the verification of trustworthiness of ownership; Providing the owner terminal with resource meta information used by the target device to grant access to its resource; The owner terminal generates a first access token for authenticating the self-signed token signed by the owner and the access right to the resource of the target device, and stores the first access token in a self-signed token store . ≪ / RTI >
In one embodiment of the present invention, the resource meta information may include at least a name of an accessible resource of the target device, a unique identifier of the resource, and an action list that is an action list that can be taken for the resource.
In one embodiment of the present invention, the self-signed token may include signature information by at least an owner's name, a public key, an expiration date, and an owner's private key.
According to an embodiment of the present invention, the delegation step may include: identifying the first user principal terminal so that the owner terminal delegates access rights to the resource of the target device to the first user principal terminal; The owner terminal requesting the first user's public key to the first user principal terminal; Providing the first user's terminal with the public key of the first user to the owner terminal; The owner terminal may issue a second access token to the first user principal terminal and provide the access right to the first user principal terminal, and the second access token may include at least the first user A public key, a token expiration date, access right information for the resource of the target device, and information signed by the owner's private key.
In one embodiment of the present invention, the step of identifying the first user terminal may include: acquiring an arbitrary temporary value (Nonce) generated by the owner terminal by the first user principal terminal; Returning a response message (ACK) including the nonce acquired by the first user principal terminal to the owner terminal; Verifying whether the nonce returned by the owner terminal is the same as the nonce generated by the owner terminal; And if the user terminal has passed the verification, specifying the first user equipment terminal as the delegated terminal.
In one embodiment of the present invention, the manner in which the first user equipment terminal obtains the Nonce may be a non-communication information transmission method using no communication interface.
In an embodiment of the present invention, the information exchange between the target device, the owner terminal, and the first user principal terminal may be performed by a peer-to-peer communication method other than when the first user principal terminal obtains the Nonce. ≪ / RTI >
According to an embodiment of the present invention, the delegation step may include a step of, in response to a public key request of a first user, authenticating the public key of the first user using the private key of the first user matching the public key, And providing a proof of position (POP) value to the owner terminal.
In one embodiment of the present invention, the method further comprises: generating the token payload for accessing the resource of the target device by the first user equipment terminal having received the second access token and submitting the token payload to the target device Wherein the token payload comprises a Nonce signed with the private key of the first user and a token chain combining the self-signed token signed by the owner received from the owner terminal and the second access token, Includes signature information by at least the owner's name, public key, expiration date, owner's private key; Verifying the validity of the token payload submitted by the first use subject terminal based on the information on the trusted ownership relationship of the owner; The target device extracts the 'access right information on the resource of the target device' included in the token payload whose validity is verified, stores it in the memory, generates a session ID corresponding to the extracted access right information, Providing a using subject terminal; Providing the target user terminal with an access request message for a desired resource of the target device together with the session ID; The target device compares the access request message received from the first user equipment terminal with the access privilege information corresponding to the session ID stored in the memory to determine whether the access request of the first user equipment terminal Verifying whether the user has authority; And a step of allowing the target device to grant or deny the access request of the first user equipment terminal based on the verification result.
According to an embodiment of the present invention, the delegation step may include generating the first delegation token by the owner terminal, wherein the first delegation token is transmitted to the second usage principal terminal of the second user, To issue a third access token with access rights to the resource of the target device; And providing the token chain including the first delegation token and the self-signed token signed by the owner to the first user principal terminal, wherein the self-signature token includes at least a name of the owner , A public key, an expiration date, and signature information by the owner's private key.
In one embodiment of the present invention, the first delegation token includes at least the name of the delegator, the public key of the delegator, the token expiration date, the ID of the access token bound to the first delegation token, and the value signed by the delegator's private key .
In one embodiment of the present invention, the method may further comprise: the first use-principal terminal, which has received the first delegation token, transmits the second usage token to the second usage- And issuing the third access token having the authority to access the target device to the second usage subject terminal.
In one embodiment of the present invention, the method further comprises: generating the token payload for accessing the resource of the target device by the second use-user terminal having received the third access token and submitting the token payload to the target device Wherein the token payload may include a Nonce signed with the private key of the second user and a chain of delegation tokens received from the first user principal terminal, And the third access token received from the first use subject terminal and the third access token received from the first use subject terminal, wherein the target device can include the self- Validating the token payload; The target device extracts the 'access right information for the resource of the target device' contained in the token payload whose validity is verified, stores it in the memory, generates a session ID corresponding to the extracted access right information, Providing a using subject terminal; Providing the second user principal terminal with an access request message for a desired resource of the target device to the target device together with the session ID; The target device compares the access request message received from the second user equipment terminal with the 'access right information corresponding to the session ID' stored in the memory and transmits an access request of the second user equipment terminal to the desired resource Verifying whether the user has authority; And the step of allowing the target device to grant or deny the access request of the second usage subject terminal based on the verification result.
In an embodiment of the present invention, the range of authority that can be delegated to the first delegation token may be the same as or narrower than the authority information of the second access token, which is an access token bound to the first delegation token .
In one embodiment of the present invention, the method further comprises, when the first delegate token received from the owner terminal further includes a re-delegation authority, And issuing a second delegation token to the second delegatee terminal based on the delegation authority. The second delegation token may further include a second delegation token, the second delegation token being transmitted to the third user's terminal of the third user And a fourth access token having an access right to the resource of the target device.
The present invention has various advantages as follows.
Users can delegate their own access rights to target device resources to other devices / applications / users, etc. (up to multiple levels), which is highly scalable and flexible. In other words, a principal delegated access authority can access and delegate to a principal in the authority granted to him / her. That is, according to the present invention, an owner terminal can delegate authority to access a resource of a target device to a third other terminal. This authorization delegation can be done chained to another user's terminal.
Unlike the centralized approach, the present invention allows anyone to become an authorization server for another Principal (device / user / application).
Since the delegator terminal does not require identification and authentication of the user / device in delegating the access authority to the resource of the target device to the delegator terminal, there is no need for separate ID management.
Since the exchange of information for delegating the access authority can be done in a peer-to-peer manner, the privacy of the concerned party can be guaranteed since there is no need to manage ID-related data in the center.
It is possible to manage the access authorization to the resource of the target device even in an environment in which the Internet is not connected.
1 shows a configuration of a system 10 for off-line delegation of IoT device access rights according to one embodiment of the present invention.
FIG. 2 illustrates an overall service flow of an offline delegation method of an IOT device access right according to an embodiment of the present invention.
Figure 3 illustrates the format of a delegation token.
Figure 4 illustrates the format of an access token.
Figure 5 shows a chain of delegation tokens held in a token chain store and an issued delegation token and an access token.
6 is a diagram for explaining a procedure for verifying validity of a chain hierarchy using a token chain.
FIG. 7 shows a procedure for establishing ownership.
FIG. 8 shows an example of a scenario for delegating access authority to a target device.
FIG. 9 specifically shows a procedure for delegating access authority to a target device.
10 is a flow diagram illustrating the delegation trigger process.
11 shows a request for accessing a resource of a target device of a terminal and a procedure for verifying the request.
Figure 12 shows the token payload creation process in more detail.
13 shows a procedure for verifying the validity of the token payload presented by the using subject terminal in the target device.
For the embodiments of the invention disclosed herein, specific structural and functional descriptions are set forth for the purpose of describing an embodiment of the invention only, and it is to be understood that the embodiments of the invention may be practiced in various forms, The present invention should not be construed as limited to the embodiments described in Figs.
The present invention is capable of various modifications and various forms, and specific embodiments are illustrated in the drawings and described in detail in the text. It is to be understood, however, that the invention is not intended to be limited to the particular forms disclosed, but on the contrary, is intended to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.
The terms first, second, etc. may be used to describe various components, but the components should not be limited by the terms. The terms may be used for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component.
It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between. Other expressions that describe the relationship between components, such as "between" and "between" or "neighboring to" and "directly adjacent to" should be interpreted as well.
The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises ", or" having ", and the like, are used to specify the presence of stated features, integers, But do not preclude the presence or addition of steps, operations, elements, parts, or combinations thereof.
Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries should be construed as meaning consistent with meaning in the context of the relevant art and are not to be construed as ideal or overly formal in meaning unless expressly defined in the present application .
On the other hand, if an embodiment is otherwise feasible, the functions or operations specified in a particular block may occur differently from the order specified in the flowchart. For example, two consecutive blocks may actually be performed at substantially the same time, and depending on the associated function or operation, the blocks may be performed backwards.
Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. The same reference numerals are used for the same constituent elements in the drawings and redundant explanations for the same constituent elements are omitted.
1 shows a configuration of a system 10 for off-line delegation of IoT device access rights according to one embodiment of the present invention.
First, the system 10 may include a
The
The
The using
The
The
The first user principal terminal 300-1 includes a token management unit 310-1, an access request unit 320-1, a key store 330-1 and a token chain store 340-1. . Similarly to the first user principal terminal 300-1, the second user principal terminal 300-2 includes a token management unit 310-2, an access request unit 320-2, a key store 330-2, Chain store 340-2.
The
The
The token management unit 310-1 of the first user agent terminal 300-1 stores and manages the delegation token and the access token issued by the
The
The
The self-
The token chain store 340-1 of the first user agent terminal 300-1 stores the delegation token received from the
The
The access right verifying
The
The
The entities shown in FIG. 1 may have the following relationship with each other. First, the
FIG. 2 illustrates an overall service flow of an offline delegation method of an IOT device access right according to an embodiment of the present invention.
After the owner of the
The owner of the
The owner of the target device may issue a delegation token to the one or more using
For example, referring to FIG. 2, the
If the delegation token issued from the
The token type has an access token and a delegation token. A delegation token is a token to prove that another user has been granted authority to delegate access token issuance. The access token is a token including the right information for accessing the resources of the
According to an exemplary embodiment, the delegation token and the access token may have the same format as shown in Figures 3 and 4, respectively.
The fields of the delegation token and access token are: TY '(Type) is a token type field having a code' D 'value indicating that it is a delegation token for a delegation token and a unique identification value indicating an access token for an access token. The 'TI' (Token Identifier) is a token ID field, which has a unique value for identifying a token, for example, a UUID random value. 'NM' (Name) indicates the name of the subject to whom the token was issued. The name recorded in this field is a human readable name. 'PB' (Public Key) is the public key field of the delegator's public key and has the public key value bound to the subject that issued the token. 'EX' (Expired) is a token expiration date field, which indicates the effective expiration date of the issued token. 'AI' (Access Token) is an access token ID field that is bound to a delegation token and has a mapping access token ID value. 'SG' (Signature) is the mandatory private key signature field, which can sign the contents of the entire token field with the private key of the token issuer. 'DE' (Device) is a target device identifier field, which may have a URI value of the
The token chain refers to a token that the using
Figure 5 shows a chain of delegation tokens held in a token chain store and an issued delegation token and an access token. The terminal of the mandator may issue and provide the
6 is a diagram for explaining a procedure for verifying the validity of a chain hierarchy using a delegation token chain. 6 illustrates an example in which the
The n-th user terminal 300-n having the
In response to the access request, the
FIG. 7 shows a procedure for establishing ownership.
The owner of the device provides the
The
The
The
The
{"Smart Car", "/ Car", {"A1", "A2", "A3"}}
The
In addition, the
Through this process, a trusting relationship can be established between the
FIG. 8 shows an example of a scenario for delegating access authority to a target device. The illustrated scenario relates to the case where the device owner delegates an access right having delegation authority to a first user (Subject_1) and a first user (Subject_1) delegates an access right without a delegation right to a second user (Subject_2). When delegating a permission with delegation authority, it issues a delegation token and an access token. On the other hand, when only delegation authority is delegated, only an access token is issued. The delegator delivers to the delegatee a list of delegation tokens received from the owner and from the delegatee and the delegation tokens and access tokens that he or she has issued for the delegatee. The transferred delegation token and the issued token are stored in the token store of the payer.
In this scenario, the
FIG. 9 specifically shows a procedure for delegating access authority to the
First, the delegating terminal 300a (e.g., the owner terminal 200) delegates the access right to the resource of the
First, the delegating terminal 300a determines whether a delegation trigger (step S40) (refer to the description of the delegation trigger processor in FIG. 10) (Step S42), and then a delegation negotiation request (Negotiate Delegation) is performed to the delegated terminal 300b (step S44). The delegated terminal 300b acquires the nonce generated in the delegating terminal 300a (step S46). The pseudo-terminal 300b transmits the obtained Nonce to the
If the delegated terminal 300b is specified, the delegating terminal 300a requests the delegated terminal 300b to send the delegator's public key (step S52).
In response to the request, the delegated terminal 300b transmits the delegator's public key to the delegating terminal 300a (step S54). The
The delegating terminal 300a includes the public key of the delegating
The delegation token chain and the issued token are transmitted to the pseudo-terminal 300b (step S58). At this time, the delegating terminal 300a may issue a delegation token in addition to the access token (details will be described later).
The delegated terminal 300b stores the received tokens in the
The exchange of information between the
10 is a flow diagram illustrating the delegation trigger process.
To start the delegation procedure, the delegating terminal 300a first loads the token 600 issued to the delegating terminal 300a from the token chain store 340 (step S70). If the
Next, FIG. 11 shows a request for accessing a resource of a target device of the terminal and a procedure for verifying the request.
The using
Figure 12 shows the token payload creation process in more detail. When the application of the
The
If the submitted token payload passes the validation, the
Then, the
The using
The target device compares the access request message received from the using
If the verification result shows that it is authorized, the access is permitted. If it is determined that the access is not authorized, the access is denied. In addition, the access history is stored in the
13 shows a procedure for verifying the validity of the token payload presented by the using subject terminal in the target device.
The application of the permission checking unit of the
If a self-signed token exists, the self-signed token is verified. Specifically, the "name" and "public key" stored in the
If they match, the signature of the delegation token chain is verified by extracting the public key of the delegator (step S110). Specifically, it is checked whether or not the delegation token exists (step S112). If the delegation token exists, the delegation token is verified (step S114). If the verification result is valid (S116), verification is performed on the entire delegation token constituting the delegation token chain in a manner of performing verification on the next delegation token constituting the delegation token chain (S112, S114). If none of the entire delegation token chains pass the validation, an unauthorized process is performed (step S108), and if all of the validation passes, the process proceeds to the verification process for the access token.
The verification logic for such a chain of delegation tokens can be expressed as:
for i = 1 to number of (Delegation Token) {
if i = 1 then Pub_Key = Public Key of Self Signed Token
else Pub_Key = Public Key of Delegation Token [i-1]
Verify "SG" value of Delegation Token [i] with Public_Key
}
After the delegation token is verified, the validity of the access token is verified (step S118). To do this, the delegator, that is, the public key of the terminal that issued the access token, is extracted. Specifically, if there is a delegation token in the token chain (Case 1), the public key is extracted from the "PB" of the delegation token located at the bottom of the delegation token hierarchy. If the delegation token does not exist, the public key is extracted from the "PB" of the self-signed token.
The validity of the access token is verified with the extracted public key (step S120). If it is determined to be invalid, the process is unauthorized (step S108). If it is confirmed to be valid, Proof-of-Possession verification is performed (step S122). This verification is to verify the signature of the signed Nonce (Signed Nonce) of the payload with the public key of the access token.
If it is determined that the verification result is not valid, the process is unauthorized (step S108). If it is determined to be valid, a security cache is generated and updated with the authority information extracted from the access token (step S126). The value of "SI" (session ID) is the session ID of the UUID random value, and the fields "EX" (valid period) and "AR" (permission) are information extracted from the access token.
In the above description, the information exchange between the
The present invention can be widely used for sharing the access right of resources of the target device among the IoT devices by delegation method.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the present invention as defined by the following claims. It will be understood.
100: target device 110: ownership management unit
120: Token checking unit 130: Permission checking unit
140: Secure Cache 150: Key Store
160: trust root 200: owner terminal
210: ownership management unit 220: token management unit
230: access request section 240: key store
250: Self-token store
300, 300-1, 300-2, ..., 300-n:
310-1 and 310-2: Token management units 320-1 and 320-2:
330-1 and 330-2: key stores 340-1 and 340-2: token chain stores
Claims (16)
An access step in which the first use-principal terminal makes an access request to the resource of the target device based on the access right; And
And a verification step of verifying, in the target device, the access request based on the information about the trusted ownership relationship and determining whether to permit access to the target device of the first use subject terminal according to the verification result ,
Wherein the delegating comprises:
Identifying the first user principal terminal so that the owner terminal delegates an access right to the resource of the target device to the first user principal terminal;
The owner terminal requesting the first user's public key to the first user principal terminal;
Providing the first user's public key to the owner terminal in response to a public key request of the first user; And
The owner terminal issuing a second access token to the first user principal terminal and providing the access right to the first user principal terminal,
Wherein the second access token includes information at least including a public key of the first user, an expiration date of the token, access right information for the resource of the target device, and information signed by the owner's private key. How to delegate access rights.
Requesting the owner terminal to establish the ownership relationship, while providing the ownership verification information including the public key of the owner terminal, the name, and the proof of ownership that can prove ownership of the target device to the target device;
Verifying the reliability of ownership of the target device of the owner terminal using the ownership authentication information provided by the target device;
Storing a public key and a name of an owner of the target device that has passed the verification of trustworthiness of ownership;
Providing the owner terminal with resource meta information used by the target device to grant access to its resource; And
The owner terminal generates a first access token for authenticating the self-signed token signed by the owner and the access right to the resource of the target device, and stores the generated first access token in a self-signed token store The method comprising the steps of:
Verifying the validity of the token payload submitted by the first use subject terminal based on the information on the trusted ownership relationship of the owner;
The target device extracts the 'access right information on the resource of the target device' included in the token payload whose validity is verified, stores it in the memory, generates a session ID corresponding to the extracted access right information, Providing a using subject terminal;
Providing the target user terminal with an access request message for a desired resource of the target device together with the session ID;
The target device compares the access request message received from the first user equipment terminal with the access privilege information corresponding to the session ID stored in the memory to determine whether the access request of the first user equipment terminal Verifying whether the user has authority; And
Further comprising a step in which the target device applies or does not grant an access request of the first user equipment terminal based on the verification result.
Wherein the self-signed token includes signature information by at least an owner's name, a public key, an expiration date, and an owner's private key,
Wherein the first delegation token includes at least a name of the delegator, a public key of the delegator, an expiration date of the token, an ID of an access token bound to the first delegation token, and a value signed by the delegator's private key. How to delegate access between.
Generating a token payload to access the resource of the target device and submitting the token payload to the target device, wherein the token payload is transmitted to the second user's personal And a chain of delegation tokens transmitted from the first user terminal, wherein the delegation token chain includes a self-signed token signed by the owner received from the owner terminal, A first delegation token and the third access token,
Verifying the validity of the token payload based on information about the trustee ownership of the owner;
The target device extracts the 'access right information for the resource of the target device' contained in the token payload whose validity is verified, stores it in the memory, generates a session ID corresponding to the extracted access right information, Providing a using subject terminal;
Providing the second user principal terminal with an access request message for a desired resource of the target device to the target device together with the session ID;
The target device compares the access request message received from the second user equipment terminal with the 'access right information corresponding to the session ID' stored in the memory and transmits an access request of the second user equipment terminal to the desired resource Verifying whether the user has authority; And
Further comprising the step of allowing the target device to grant or deny the access request of the second user equipment terminal based on the verification result.
And the second delegation token includes an authority to issue a fourth access token having an access right to the resource of the target device to the third user principal terminal of the third user. How to delegate access rights between IoT devices.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020170050316A KR101873991B1 (en) | 2017-04-19 | 2017-04-19 | Method of delegating access right between IoT devices |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020170050316A KR101873991B1 (en) | 2017-04-19 | 2017-04-19 | Method of delegating access right between IoT devices |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101873991B1 true KR101873991B1 (en) | 2018-07-04 |
Family
ID=62912852
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020170050316A KR101873991B1 (en) | 2017-04-19 | 2017-04-19 | Method of delegating access right between IoT devices |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101873991B1 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110287739A (en) * | 2019-06-17 | 2019-09-27 | 西安纸贵互联网科技有限公司 | Data safety control method and system based on hardware private keys memory technology |
KR20210033229A (en) * | 2019-09-18 | 2021-03-26 | 주식회사 엘지유플러스 | METHOD AND APPARATUS FOR MANAGING RIGHTS OF IoT DEVICE |
CN113111355A (en) * | 2020-01-13 | 2021-07-13 | 华控清交信息科技(北京)有限公司 | Authority management method, device, system and storage medium |
WO2021182761A1 (en) * | 2020-03-13 | 2021-09-16 | 삼성전자 주식회사 | Method and electronic device for managing at least one device |
KR102410294B1 (en) * | 2020-12-11 | 2022-06-16 | 윤성민 | Security system of thuings and method through identification of users and things |
WO2023219234A1 (en) * | 2022-05-13 | 2023-11-16 | 삼성전자 주식회사 | Electronic device for managing controlled device and operation method therefor |
-
2017
- 2017-04-19 KR KR1020170050316A patent/KR101873991B1/en active IP Right Grant
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110287739A (en) * | 2019-06-17 | 2019-09-27 | 西安纸贵互联网科技有限公司 | Data safety control method and system based on hardware private keys memory technology |
KR20210033229A (en) * | 2019-09-18 | 2021-03-26 | 주식회사 엘지유플러스 | METHOD AND APPARATUS FOR MANAGING RIGHTS OF IoT DEVICE |
KR102243627B1 (en) * | 2019-09-18 | 2021-04-22 | 주식회사 엘지유플러스 | METHOD AND APPARATUS FOR MANAGING RIGHTS OF IoT DEVICE |
CN113111355A (en) * | 2020-01-13 | 2021-07-13 | 华控清交信息科技(北京)有限公司 | Authority management method, device, system and storage medium |
WO2021182761A1 (en) * | 2020-03-13 | 2021-09-16 | 삼성전자 주식회사 | Method and electronic device for managing at least one device |
KR102410294B1 (en) * | 2020-12-11 | 2022-06-16 | 윤성민 | Security system of thuings and method through identification of users and things |
WO2022124723A1 (en) * | 2020-12-11 | 2022-06-16 | 윤성민 | Computer for managing security of objects through identity authentication of persons and objects, and method therefor |
WO2023219234A1 (en) * | 2022-05-13 | 2023-11-16 | 삼성전자 주식회사 | Electronic device for managing controlled device and operation method therefor |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101873991B1 (en) | Method of delegating access right between IoT devices | |
CN102792311B (en) | Safety actuality power is appointed | |
US10540484B2 (en) | Networked services licensing system and method | |
US9401918B2 (en) | User to user delegation service in a federated identity management environment | |
US7386513B2 (en) | Networked services licensing system and method | |
CN115699000A (en) | Method, apparatus and computer readable medium for secure multilateral data exchange over a computer network | |
US9825938B2 (en) | System and method for managing certificate based secure network access with a certificate having a buffer period prior to expiration | |
EP1381201A2 (en) | System, method and program for remote access to a resource using certificates | |
US20020049912A1 (en) | Access control method | |
KR100561629B1 (en) | Integrated Security Information Management System and Its Method | |
CN102084374B (en) | Representing security identities using claims | |
Ghaffari et al. | Authentication and access control based on distributed ledger technology: A survey | |
US8793773B2 (en) | System and method for providing reputation reciprocity with anonymous identities | |
US20170104748A1 (en) | System and method for managing network access with a certificate having soft expiration | |
JP2016521029A (en) | Network system comprising security management server and home network, and method for including a device in the network system | |
Ghaffari et al. | Identity and access management using distributed ledger technology: A survey | |
Anand et al. | Identity and access management systems | |
Lee et al. | Traust: a trust negotiation-based authorization service for open systems | |
CN101939748A (en) | Activation by trust delegation | |
KR20090054774A (en) | Method of integrated security management in distribution network | |
WO2018207174A1 (en) | Method and system for sharing a network enabled entity | |
LU93150B1 (en) | Method for providing secure digital signatures | |
Tiwari et al. | Design and Implementation of Enhanced Security Algorithm for Hybrid Cloud using Kerberos | |
Omolola et al. | Policy-based access control for the IoT and Smart Cities | |
KR101912012B1 (en) | The method and apparatus for providing service based on capability token in internet of things environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
GRNT | Written decision to grant |