TWI729061B - Method, device and system for generating equipment identification - Google Patents
Method, device and system for generating equipment identification Download PDFInfo
- Publication number
- TWI729061B TWI729061B TW106102221A TW106102221A TWI729061B TW I729061 B TWI729061 B TW I729061B TW 106102221 A TW106102221 A TW 106102221A TW 106102221 A TW106102221 A TW 106102221A TW I729061 B TWI729061 B TW I729061B
- Authority
- TW
- Taiwan
- Prior art keywords
- identification
- information
- license information
- unit
- key
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 69
- 238000009826 distribution Methods 0.000 claims description 100
- 238000012423 maintenance Methods 0.000 claims description 14
- 238000003860 storage Methods 0.000 claims description 11
- 238000012795 verification Methods 0.000 claims description 6
- 239000013078 crystal Substances 0.000 claims 1
- 238000007726 management method Methods 0.000 description 34
- 230000006870 function Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- WQZGKKKJIJFFOK-GASJEMHNSA-N Glucose Natural products OC[C@H]1OC(O)[C@H](O)[C@@H](O)[C@@H]1O WQZGKKKJIJFFOK-GASJEMHNSA-N 0.000 description 1
- 239000008280 blood Substances 0.000 description 1
- 210000004369 blood Anatomy 0.000 description 1
- 230000036772 blood pressure Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 239000008103 glucose Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000004984 smart glass Substances 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Abstract
本發明提供了一種產生設備標識的方法、裝置和系統,其中方法包括:安全平台接收廠商管理設備發送的標識分配請求;針對待分配標識的設備產生唯一的設備標識;將所述設備標識發送給標識寫入設備,供所述標識寫入設備將所述設備標識寫入所述待分配標識的設備。本發明將設備標識的產生權限統一放在了網路端的安全平台,由安全平台統一維護表徵各設備合法身份的設備標識,從而為服務側對設備合法身份的判斷提供基礎。 The present invention provides a method, device and system for generating a device identification, wherein the method includes: a security platform receives an identification allocation request sent by a manufacturer's management device; generates a unique device identification for a device to be allocated with an identification; and sends the device identification to The identification writing device is used for the identification writing device to write the device identification into the device to which the identification is to be allocated. In the present invention, the generation authority of the equipment identification is uniformly placed on the security platform of the network side, and the equipment identification that characterizes the legal identity of each device is uniformly maintained by the security platform, thereby providing a basis for the service side to judge the legal identity of the equipment.
Description
本發明係關於電腦應用技術領域,特別係關於一種產生設備標識的方法、裝置和系統。 The present invention relates to the field of computer application technology, and particularly relates to a method, device and system for generating equipment identification.
IMEI(International Mobile Equipment Identity,國際行動設備身份碼)是由15位數字組成的電子序號,它與每台手機一一對應,並且該碼是全世界唯一的。每一隻手機在組裝完成後都將被賦予一個全球唯一的一組號碼,這個號碼從生產到交付使用都被製造生產的廠商所記錄。手機的IMEI就如同身份證號,如果手機丟失,可以通知運營商將該手機的IMEI列入黑名單,這樣該手機將被禁止使用。 IMEI (International Mobile Equipment Identity, International Mobile Equipment Identity) is an electronic serial number composed of 15 digits, which corresponds to each mobile phone one to one, and the code is unique in the world. Each mobile phone will be assigned a globally unique set of numbers after assembly. This number is recorded by the manufacturer from production to delivery. The IMEI of a mobile phone is like an ID number. If the mobile phone is lost, the operator can be notified to blacklist the IMEI of the mobile phone, so that the mobile phone will be prohibited from use.
然而,一方面IMEI目前僅是手機在使用,對於其他類型的設備而言並沒有IMEI;另一方面,只有廠商知道合法手機的IMEI,在手機丟失後,需要人工通知運營商將IMEI列入黑名單,並且對於其他業務而言,服務側無法依據IMEI判斷設備的合法身份。 However, on the one hand, IMEI is currently only used by mobile phones, and there is no IMEI for other types of devices; on the other hand, only the manufacturer knows the IMEI of a legal mobile phone. After the mobile phone is lost, it is necessary to manually notify the operator to list the IMEI as black. For other services, the service side cannot determine the legal identity of the device based on IMEI.
有鑑於此,本發明提供了一種產生設備標識的方法、裝置和系統,以便於為服務側對設備合法身份的判斷提供基礎。 In view of this, the present invention provides a method, device and system for generating device identification, so as to provide a basis for the service side to determine the legal identity of the device.
具體技術方案如下:本發明提供了一種產生設備標識的方法,該方法包括:標識分配設備接收標識分配請求;針對待分配標識的設備分配唯一的設備標識;發送所述設備標識,供所述標識寫入設備將所述設備標識寫入所述待分配標識的設備。 The specific technical solution is as follows: the present invention provides a method for generating a device identification, the method includes: receiving an identification allocation request by an identification allocation device; allocating a unique device identification for the device to be allocated with an identification; sending the device identification for the identification The writing device writes the device identification into the device to which the identification is to be allocated.
根據本發明一較佳實施方式,所述針對待分配標識的設備分配唯一的設備標識包括:所述標識分配設備利用所述標識分配請求包含的待分配標識的設備資訊,產生唯一的設備標識。 According to a preferred embodiment of the present invention, the allocating a unique device identifier for the device to be assigned an identifier includes: the identifier assignment device uses the device information of the identifier to be assigned included in the identifier assignment request to generate the unique device identifier.
根據本發明一較佳實施方式,所述產生唯一的設備標識包括:依據預設的標識產生規則,產生唯一的設備標識。 According to a preferred embodiment of the present invention, the generating the unique device identification includes: generating the unique device identification according to a preset identification generation rule.
根據本發明一較佳實施方式,所述標識產生規則包括:設備標識依次包括設備標識符、廠商編號、待分配標識的設備資訊和隨機數。 According to a preferred embodiment of the present invention, the identification generation rule includes: the equipment identification includes the equipment identifier, the manufacturer number, the equipment information to be assigned the identification, and a random number in sequence.
根據本發明一較佳實施方式,所述待分配標識的設備資訊包括: 待分配標識的設備的型號資訊、系統版本資訊以及晶片資訊中的至少一種。 According to a preferred embodiment of the present invention, the information of the device to be assigned an identifier includes: at least one of model information, system version information, and chip information of the device to be assigned the identifier.
根據本發明一較佳實施方式,該方法還包括:針對所述待分配標識的設備分配許可資訊;發送所述許可資訊;接收到許可資訊後,若接收到的許可資訊與分配的許可資訊一致,則發送所述設備標識。 According to a preferred embodiment of the present invention, the method further includes: allocating license information to the device to be assigned an identifier; sending the license information; after receiving the license information, if the received license information is consistent with the allocated license information , Then send the device identification.
根據本發明一較佳實施方式,所述標識分配請求包含密鑰資訊;發送的所述許可資訊為利用所述密鑰資訊加密後的許可資訊。 According to a preferred embodiment of the present invention, the identity distribution request includes key information; the sent license information is the license information encrypted with the key information.
根據本發明一較佳實施方式,所述產生許可資訊包括:利用日期、設備資訊、廠商資訊、隨機數中的一種或任意組合,產生許可資訊;或者,從預先產生的許可資訊池中獲取一個標識為可分配的許可資訊,並將該許可資訊在許可資訊池中標識為不可分配。 According to a preferred embodiment of the present invention, the generating license information includes: using one or any combination of date, equipment information, manufacturer information, and random numbers to generate license information; or, obtaining one from a pre-generated license information pool Identifies the license information as distributable, and marks the license information as undistributable in the license information pool.
根據本發明一較佳實施方式,在發送所述設備標識之後,所述許可資訊失效或刪除。 According to a preferred embodiment of the present invention, after sending the device identification, the permission information becomes invalid or deleted.
根據本發明一較佳實施方式,該方法還包括:保存針對所述待分配標識的設備分配的設備標識和許可資訊的對應關係;發送所述設備標識包括:發送接收到的許可資訊對應 的設備標識。 According to a preferred embodiment of the present invention, the method further includes: saving the correspondence relationship between the device ID assigned to the device to be assigned the ID and the license information; sending the device ID includes: sending the device corresponding to the received license information Logo.
根據本發明一較佳實施方式,所述標識分配請求包含的密鑰資訊為公鑰;接收到的所述許可資訊為利用與所述公鑰對應的私鑰加密後的許可資訊。 According to a preferred embodiment of the present invention, the key information included in the identity distribution request is a public key; the received license information is license information encrypted with a private key corresponding to the public key.
根據本發明一較佳實施方式,該方法還包括:所述標識分配設備產生密鑰資訊;將產生的密鑰資訊的全部或部分連同所述設備標識一起發送。 According to a preferred embodiment of the present invention, the method further includes: the identification distribution device generates key information; and all or part of the generated key information is sent together with the device identification.
根據本發明一較佳實施方式,若所述標識分配設備產生密鑰資訊時採用對稱加密算法,則將產生的密鑰資訊的全部連同所述設備標識一起發送;若所述標識分配設備產生密鑰資訊時採用非對稱加密算法,則將產生的私鑰或公鑰中的一個連同所述設備標識一起發送。 According to a preferred embodiment of the present invention, if the symmetric encryption algorithm is used when the identity distribution device generates key information, all of the generated key information is sent together with the device identity; if the identity distribution device generates the secret When the key information uses an asymmetric encryption algorithm, one of the generated private key or public key is sent together with the device identification.
根據本發明一較佳實施方式,所述標識分配設備包括頒發中心和各級分發中心;所述頒發中心下發標識產生規則給各級分發中心,由各級分發中心負責接收所述標識分配請求、產生並發送所述設備標識,並將產生的設備標識上報所述頒發中心;或者,由各級分發中心負責接收所述標識分配請求並轉發給所述頒發中心;由所述頒發中心按照標識產生規則產生設備標識,再將設備標識經由各級分發中心轉發。 According to a preferred embodiment of the present invention, the identification distribution equipment includes an issuance center and a distribution center at all levels; the issuance center issues identification generation rules to the distribution centers at all levels, and the distribution centers at all levels are responsible for receiving the identification distribution request , Generate and send the device identification, and report the generated device identification to the issuing center; or, the distribution centers at all levels are responsible for receiving the identification allocation request and forwarding it to the issuing center; The identification generation rule generates the equipment identification, and then forwards the equipment identification through the distribution centers at all levels.
本發明還提供了一種產生設備標識的方法,該方法包括:管理設備發送標識分配請求,以請求標識分配設備針對待分配標識的設備產生唯一的設備標識。 The present invention also provides a method for generating a device identification, the method comprising: a management device sends an identification allocation request to request the identification allocation device to generate a unique device identification for the device to which the identification is to be allocated.
根據本發明一較佳實施方式,所述標識分配請求包含待分配標識的設備資訊。 According to a preferred embodiment of the present invention, the identification allocation request includes equipment information for which identification is to be allocated.
根據本發明一較佳實施方式,所述待分配標識的設備資訊包括:待分配標識的設備的型號資訊、系統版本資訊以及晶片資訊中的至少一種。 According to a preferred embodiment of the present invention, the device information to be assigned an identifier includes: at least one of model information, system version information, and chip information of the device to be assigned an identifier.
根據本發明一較佳實施方式,所述標識分配請求包含密鑰資訊;該方法還包括:所述管理設備接收利用所述密鑰資訊加密後的許可資訊;所述管理設備將加密後的許可資訊以及密鑰資訊提供給標識寫入設備。 According to a preferred embodiment of the present invention, the identity distribution request includes key information; the method further includes: the management device receives the license information encrypted with the key information; and the management device transfers the encrypted license The information and key information are provided to the identification writing device.
根據本發明一較佳實施方式,該方法還包括:所述廠商管理設備產生公鑰-私鑰對;所述標識分配請求包含的密鑰資訊為所述公鑰-私鑰對中的公鑰;提供給標識寫入設備的密鑰資訊為所述公鑰-私鑰對中的私鑰。 According to a preferred embodiment of the present invention, the method further includes: the manufacturer management device generates a public key-private key pair; the key information contained in the identity distribution request is the public key in the public key-private key pair ; The key information provided to the identification writing device is the private key in the public key-private key pair.
本發明還提供了一種產生設備標識的方法,該方法包括: 標識寫入設備接收設備標識,所述設備標識為標識分配設備針對待分配標識的設備產生的;將所述設備標識寫入所述待分配標識的設備。 The present invention also provides a method for generating a device identifier, the method comprising: writing an identifier into a device receiving a device identifier, the device identifier being generated by the identifier assigning device for the device to which the identifier is to be assigned; writing the device identifier into the The device to be assigned an identity.
根據本發明一較佳實施方式,所述標識寫入設備接收唯一的設備標識包括:所述標識寫入設備接收加密後的許可資訊以及密鑰資訊;利用所述密鑰資訊對所述加密後的許可資訊進行解密;將解密後得到的許可資訊發送給所述標識分配設備;接收所述標識分配設備返回的所述設備標識。 According to a preferred embodiment of the present invention, the identification writing device receiving the unique device identification includes: the identification writing device receiving encrypted license information and key information; and using the key information to encrypt the encrypted license information Decrypt the license information; send the decrypted license information to the identification distribution device; receive the device identification returned by the identification distribution device.
根據本發明一較佳實施方式,該方法還包括:所述標識寫入設備將連同所述設備標識一起接收到的密鑰資訊寫入所述待分配標識的設備。 According to a preferred embodiment of the present invention, the method further includes: the identification writing device writes the key information received together with the device identification into the device to which the identification is to be allocated.
根據本發明一較佳實施方式,將所述設備標識寫入所述待分配標識的設備包括:將所述設備標識寫入所述待分配標識的設備的安全儲存。 According to a preferred embodiment of the present invention, writing the device identifier to the device to be assigned the identifier includes: writing the device identifier into the secure storage of the device to which the identifier is to be assigned.
本發明還提供了一種產生設備標識的裝置,該裝置設置於標識分配設備,該裝置包括:接收單元,用於接收標識分配請求;分配單元,用於在所述接收單元接收到標識分配請求後,針對待分配標識的設備分配唯一的設備標識;發送單元,用於發送所述設備標識,供標識寫入設備 將所述設備標識寫入所述待分配標識的設備。 The present invention also provides a device for generating equipment identification, which is set in an identification distribution device. The device includes: a receiving unit for receiving an identification allocation request; and an allocation unit for receiving the identification allocation request after the receiving unit receives the identification allocation request. , Assign a unique device identifier to the device to be assigned an identifier; the sending unit is configured to send the device identifier for the identifier writing device to write the device identifier into the device to be assigned the identifier.
根據本發明一較佳實施方式,所述分配單元,具體用於利用所述標識分配請求包含的待分配標識的設備資訊,產生唯一的設備標識。 According to a preferred embodiment of the present invention, the allocating unit is specifically configured to use the device information of the identification to be allocated included in the identification allocation request to generate a unique device identification.
根據本發明一較佳實施方式,所述分配單元,具體用於依據預設的標識產生規則,產生唯一的設備標識。 According to a preferred embodiment of the present invention, the allocation unit is specifically configured to generate a unique device identification according to a preset identification generation rule.
根據本發明一較佳實施方式,所述標識產生規則包括:設備標識依次包括設備標識符、廠商編號、待分配標識的設備資訊和隨機數。 According to a preferred embodiment of the present invention, the identification generation rule includes: the equipment identification includes the equipment identifier, the manufacturer number, the equipment information to be assigned the identification, and a random number in sequence.
根據本發明一較佳實施方式,所述待分配標識的設備資訊包括:待分配標識的設備的型號資訊、系統版本資訊以及晶片資訊中的至少一種。 According to a preferred embodiment of the present invention, the device information to be assigned an identifier includes: at least one of model information, system version information, and chip information of the device to be assigned an identifier.
根據本發明一較佳實施方式,該裝置還包括驗證單元;所述分配單元,還用於針對所述待分配標識的設備分配許可資訊;所述發送單元,還用於發送所述許可資訊;所述接收單元,還用於接收許可資訊;所述驗證單元,用於驗證所述接收單元接收到的許可資訊是否與所述分配單元分配的許可資訊一致,如果是,則觸發所述發送單元發送所述設備標識。 According to a preferred embodiment of the present invention, the device further includes a verification unit; the allocating unit is further used to allocate license information to the equipment to which the identification is to be allocated; the sending unit is also used to send the license information; The receiving unit is also used to receive permission information; the verification unit is used to verify whether the permission information received by the receiving unit is consistent with the permission information allocated by the distribution unit, and if so, trigger the sending unit Send the device identification.
根據本發明一較佳實施方式,所述標識分配請求包含 密鑰資訊;該裝置還包括:加密單元,用於利用所述密鑰資訊對所述分配的許可資訊進行加密;所述發送單元發送加密後的許可資訊。 According to a preferred embodiment of the present invention, the identity distribution request includes key information; the device further includes: an encryption unit for encrypting the distributed permission information using the key information; the sending unit sends Encrypted license information.
根據本發明一較佳實施方式,所述分配單元在分配許可資訊時,具體用於:利用日期、設備資訊、廠商資訊、隨機數中的一種或任意組合,產生許可資訊;或者,從預先產生的許可資訊池中獲取一個標識為可分配的許可資訊,並將該許可資訊在許可資訊池中標識為不可分配。 According to a preferred embodiment of the present invention, when the distribution unit distributes the license information, it is specifically used to: use one or any combination of date, equipment information, manufacturer information, and random numbers to generate license information; or, from pre-generated Obtain a license information identified as distributable from the license information pool, and mark the license information as undistributable in the license information pool.
根據本發明一較佳實施方式,在發送所述設備標識之後,所述分配單元還用於將所述許可資訊失效或刪除。 According to a preferred embodiment of the present invention, after sending the device identification, the allocating unit is further configured to invalidate or delete the permission information.
根據本發明一較佳實施方式,該裝置還包括:維護單元,用於保存針對所述待分配標識的設備分配的設備標識和許可資訊的對應關係;所述發送單元,用於發送所述接收單元接收到的許可資訊對應的設備標識。 According to a preferred embodiment of the present invention, the device further includes: a maintenance unit, configured to save the correspondence relationship between the device identification assigned to the device to be allocated with the identification and the license information; the sending unit, configured to send the receiving The device ID corresponding to the license information received by the unit.
根據本發明一較佳實施方式,所述分配單元,還用於產生密鑰資訊;所述發送單元將所述密鑰資訊的全部或部分連同所述設備標識一起發送。 According to a preferred embodiment of the present invention, the distribution unit is also used to generate key information; the sending unit sends all or part of the key information together with the device identification.
根據本發明一較佳實施方式,若所述分配單元在產生密鑰資訊時採用對稱加密算法,則所述發送單元將所述產 生的密鑰資訊的全部連同所述設備標識一起發送;若所述分配單元在產生密鑰資訊時採用非對稱加密算法,則所述發送單元將所述分配單元產生的私鑰或公鑰中的一個連同所述設備標識一起發送。 According to a preferred embodiment of the present invention, if the distribution unit uses a symmetric encryption algorithm when generating the key information, the sending unit sends all of the generated key information together with the device identification; When the distribution unit uses an asymmetric encryption algorithm when generating the key information, the sending unit sends one of the private key or the public key generated by the distribution unit together with the device identification.
本發明還提供了一種產生設備標識的裝置,該裝置設置於管理設備,該裝置包括:請求單元,用於發送標識分配請求,以請求標識分配設備針對待分配標識的設備產生唯一的設備標識。 The present invention also provides a device for generating a device identifier, the device is set in a management device, and the device includes: a request unit for sending an identification allocation request to request the identification allocation device to generate a unique device identification for the device to be allocated with the identification.
根據本發明一較佳實施方式,所述標識分配請求包含待分配標識的設備資訊。 According to a preferred embodiment of the present invention, the identification allocation request includes equipment information for which identification is to be allocated.
根據本發明一較佳實施方式,所述待分配標識的設備資訊包括:待分配標識的設備的型號資訊、系統版本資訊以及晶片資訊中的至少一種。 According to a preferred embodiment of the present invention, the device information to be assigned an identifier includes: at least one of model information, system version information, and chip information of the device to be assigned an identifier.
根據本發明一較佳實施方式,該裝置還包括:密鑰維護單元,用於維護密鑰資訊,並將該密鑰資訊攜帶在所述標識分配請求中;接收單元,用於接收利用所述密鑰資訊加密後的許可資訊;提供單元,用於將加密後的許可資訊以及密鑰資訊提供給標識寫入設備。 According to a preferred embodiment of the present invention, the device further includes: a key maintenance unit for maintaining key information and carrying the key information in the identity distribution request; and a receiving unit for receiving and using the License information encrypted by the key information; a providing unit for providing the encrypted license information and key information to the identification writing device.
根據本發明一較佳實施方式,所述密鑰維護單元,還用於產生並維護公鑰-私鑰對;所述標識分配請求包含的密鑰資訊為所述公鑰-私鑰 對中的公鑰;所述提供單元提供給標識寫入設備的密鑰資訊為所述公鑰-私鑰對中的私鑰。 According to a preferred embodiment of the present invention, the key maintenance unit is also used to generate and maintain a public key-private key pair; the key information included in the identity distribution request is the public key-private key pair Public key; the key information provided by the providing unit to the identification writing device is the private key in the public key-private key pair.
本發明還提供了一種產生設備標識的裝置,該裝置設置於標識寫入設備,該裝置包括:接收單元,用於接收設備標識,所述設備標識為標識分配設備針對待分配標識的設備產生的;寫入單元,用於將所述設備標識寫入所述待分配標識的設備。 The present invention also provides a device for generating an equipment identification, the device is set in an identification writing device, the device includes: a receiving unit for receiving an equipment identification, the equipment identification is generated by the identification allocation device for the equipment to be allocated with the identification ; Writing unit, used to write the device identifier into the device to be assigned the identifier.
根據本發明一較佳實施方式,該裝置還包括:解密單元和發送單元;所述接收單元,還用於接收加密後的許可資訊以及密鑰資訊;所述解密單元,用於利用所述密鑰資訊對所述加密後的許可資訊進行解密;所述發送單元,還用於將所述解密單元解密得到的許可資訊發送給所述標識分配設備。 According to a preferred embodiment of the present invention, the device further includes: a decryption unit and a sending unit; the receiving unit is also used to receive encrypted license information and key information; the decryption unit is used to use the encryption The key information decrypts the encrypted license information; the sending unit is also used to send the license information decrypted by the decrypting unit to the identification distribution device.
根據本發明一較佳實施方式,所述接收單元,還用於接收連同所述設備標識一起發送的密鑰資訊;所述寫入單元,還用於將所述密鑰資訊寫入所述待分配標識的設備。 According to a preferred embodiment of the present invention, the receiving unit is further configured to receive key information sent together with the device identification; the writing unit is further configured to write the key information into the waiting The device to which the ID is assigned.
根據本發明一較佳實施方式,所述寫入單元,具體用於將所述設備標識寫入所述待分配標識的設備的安全儲存。 According to a preferred embodiment of the present invention, the writing unit is specifically configured to write the device identification into the secure storage of the device to which the identification is to be allocated.
本發明還提供了一種產生設備標識的系統,其中,該系統包括:標識分配設備、管理設備和標識寫入設備。 The present invention also provides a system for generating device identification, wherein the system includes: an identification distribution device, a management device, and an identification writing device.
本發明還提供了一種安全平台,該安全平台包括標識分配設備。 The present invention also provides a security platform, which includes identification distribution equipment.
由以上技術方案可以看出,本發明將設備標識的產生權限統一放在了網路端的標識分配設備,由標識分配設備統一維護表徵各設備合法身份的設備標識,從而為服務側對設備合法身份的判斷提供基礎。 It can be seen from the above technical solutions that the present invention places the generation authority of the device identification uniformly on the identification distribution device on the network side, and the identification distribution device uniformly maintains the device identification that characterizes the legal identity of each device, thereby providing the service side for the legal identity of the device. Provide the basis for the judgment.
01‧‧‧接收單元 01‧‧‧Receiving unit
02‧‧‧分配單元 02‧‧‧Distribution unit
03‧‧‧發送單元 03‧‧‧Sending unit
04‧‧‧加密單元 04‧‧‧Encryption Unit
05‧‧‧驗證單元 05‧‧‧Verification Unit
06‧‧‧維護單元 06‧‧‧Maintenance Unit
11‧‧‧請求單元 11‧‧‧Request unit
12‧‧‧密鑰維護單元 12‧‧‧Key Maintenance Unit
13‧‧‧接收單元 13‧‧‧Receiving unit
14‧‧‧提供單元 14‧‧‧Providing Unit
21‧‧‧接收單元 21‧‧‧Receiving unit
22‧‧‧寫入單元 22‧‧‧Write unit
23‧‧‧解密單元 23‧‧‧Decryption Unit
24‧‧‧發送單元 24‧‧‧Sending unit
圖1為本發明所基於的系統架構圖;圖2為本發明實施例提供的主要方法流程圖;圖3為本發明實施例提供的一個詳細方法流程圖;圖4為本發明實施例提供的一種裝置結構圖;圖5為本發明實施例提供的另一種裝置結構圖;圖6為本發明實施例提供的再一種裝置結構圖;圖7為本發明實施例提供的安全平台的一種組成架構圖。 Fig. 1 is a diagram of the system architecture on which the present invention is based; Fig. 2 is a flowchart of the main method provided by an embodiment of the present invention; Fig. 3 is a detailed method flowchart provided by an embodiment of the present invention; Fig. 4 is a flowchart provided by an embodiment of the present invention A device structure diagram; FIG. 5 is another device structure diagram provided by an embodiment of the present invention; FIG. 6 is another device structure diagram provided by an embodiment of the present invention; FIG. 7 is a composition architecture of a security platform provided by an embodiment of the present invention Figure.
為了使本發明的目的、技術方案和優點更加清楚,下面結合附圖和具體實施例對本發明進行詳細描述。 In order to make the objectives, technical solutions, and advantages of the present invention clearer, the present invention will be described in detail below with reference to the accompanying drawings and specific embodiments.
圖1為本發明所基於的系統架構圖,該系統可以包括管理設備、標識分配設備和標識寫入設備,其中管理設備 可以設置於廠商處,稱為廠商管理設備,也可以設置於其他設備出廠環節。在本發明實施例中所涉及的“廠商”可以包括設備的實際生產商、設備的技術提供商等等,其需求就是請求並獲取設備標識,以將設備標識寫入設備。標識分配設備可以設置於安全平台中,在本發明實施例中標識分配設備以安全平台為例進行描述、管理設備以廠商管理設備為例。 Figure 1 is a diagram of the system architecture on which the present invention is based. The system can include a management device, an identification distribution device, and an identification writing device. The management device can be set at the manufacturer, called the manufacturer management device, or can be set at the factory of other equipment. Link. The "vendor" involved in the embodiment of the present invention may include the actual manufacturer of the device, the technology provider of the device, and so on. The requirement is to request and obtain the device identification to write the device identification into the device. The identification distribution device may be set in a security platform. In the embodiment of the present invention, the identification distribution device is described using a security platform as an example, and the management device is an example of a manufacturer-managed device.
其中廠商管理設備設置於廠商側,負責設備生產過程中對設備相關的管理。在本發明中,其主要功能包括: The manufacturer's management equipment is set on the manufacturer's side and is responsible for equipment-related management during the equipment production process. In the present invention, its main functions include:
1)針對待分配標識的設備,向安全平台發送標識分配請求。 1) Send an identification allocation request to the security platform for the device for which identification is to be allocated.
2)管理設備資訊,例如型號資訊、系統版本資訊以及晶片資訊等。將待分配標識的設備資訊攜帶在標識分配請求中。 2) Manage equipment information, such as model information, system version information, and chip information. The information of the device to be assigned the identifier is carried in the identifier assignment request.
標識寫入設備可以設置於廠商側,也可以獨立設置,其主要功能如下: The logo writing device can be set on the manufacturer's side or independently. Its main functions are as follows:
1)接收安全平台針對待分配標識的設備產生的唯一的設備標識。 1) Receive the unique device identifier generated by the security platform for the device to be assigned the identifier.
2)將設備標識寫入待分配標識的設備,例如將設備標識燒錄在設備晶片中。 2) Write the device ID to the device to be assigned the ID, for example, burn the device ID in the device chip.
安全平台設置於網路側,可以是伺服器,也可以是伺服器集群,負責針對設備產生唯一的設備標識。其主要功能可以包括: The security platform is set on the network side, which can be a server or a server cluster, and is responsible for generating a unique device identification for the device. Its main functions can include:
1)接收廠商管理設備發送的標識分配請求。 1) Receive the identification allocation request sent by the manufacturer's management device.
2)針對待分配標識的設備產生唯一的設備標識。 2) Generate a unique device ID for the device to be assigned ID.
3)將設備標識發送給標識寫入設備。 3) Send the device ID to the ID writing device.
除了上述主要功能之外,更具體的功能將在後續實施例中涉及和描述。圖2為本發明實施例提供的主要方法流程圖,上述設備的主要功能在本實施例中可以得以體現。如圖2中所示,該方法可以包括以下步驟:在201中,廠商管理設備向安全平台發送標識分配請求。 In addition to the main functions described above, more specific functions will be involved and described in subsequent embodiments. Fig. 2 is a flowchart of the main method provided by an embodiment of the present invention. The main functions of the above-mentioned device can be embodied in this embodiment. As shown in FIG. 2, the method may include the following steps: In 201, the vendor management device sends an identification allocation request to the security platform.
其中標識分配請求中可以包括待分配標識的設備資訊,例如待分配標識的設備的型號資訊、系統版本資訊以及晶片資訊中的至少一種。還可以包括待分配標識的設備數量資訊。 The identification allocation request may include equipment information to be allocated with identification, for example, at least one of model information, system version information, and chip information of the equipment to be allocated with identification. It can also include information on the number of devices to be assigned with identification.
在202中,安全平台針對待分配標識的設備產生唯一的設備標識。 In 202, the security platform generates a unique device identifier for the device to which the identifier is to be assigned.
在本步驟中,安全平台可以利用標識分配請求中攜帶的設備資訊,為待分配標識的設備產生設備標識,一個設備標識能夠唯一標識一個設備,以與其他設備相區別。設備標識的產生方式將在圖3所示的實施例中詳細描述。 In this step, the security platform can use the device information carried in the ID allocation request to generate a device ID for the device to be allocated with the ID. One device ID can uniquely identify a device to distinguish it from other devices. The method of generating the device identifier will be described in detail in the embodiment shown in FIG. 3.
另外,除了利用設備資訊產生設備標識之外,安全平台還可以利用其它資訊產生設備資訊,例如採用產生隨機數的方式來產生設備資訊,只要保證產生的設備資訊的唯一性即可。 In addition, in addition to using device information to generate device identification, the security platform can also use other information to generate device information, such as generating device information by generating random numbers, as long as the uniqueness of the generated device information is guaranteed.
除了接收到標識分配請求後,實時產生設備標識的方式之外,也可以預先產生一些設備標識構成標識池,在接 收到標識分配請求後,從標識池中分配一個設備標識給待分配標識的設備。 In addition to the method of generating device IDs in real time after receiving the ID allocation request, some device IDs can also be generated in advance to form an ID pool. After receiving the ID allocation request, a device ID is allocated from the ID pool to the device to be allocated. .
在203中,安全平台將產生的設備標識發送給標識寫入設備。 In 203, the security platform sends the generated device identification to the identification writing device.
需要說明的是,安全平台可以將產生的設備標識直接發送給標識寫入設備,也可以經由廠商管理設備發送給標識寫入設備。 It should be noted that the security platform may directly send the generated device identification to the identification writing device, or may also send it to the identification writing device via the vendor management device.
在204中,標識寫入設備將設備標識寫入待分配標識的設備。 In 204, the identification writing device writes the device identification to the device to which the identification is to be allocated.
本步驟中,標識寫入設備可以採用燒錄等方式,將設備標識寫入待分配標識的設備晶片中。寫入設備的設備標識不能夠更改,並且設備能夠在需要時,獲取自身的設備標識,以該設備標識表徵自己的身份以及身份的合法性。 In this step, the identification writing device may use methods such as burning to write the device identification into the device chip to which the identification is to be assigned. The device ID written to the device cannot be changed, and the device can obtain its own device ID when needed, and use the device ID to characterize its own identity and the legitimacy of the identity.
由圖2所示流程可以看出,廠商不再具有產生設備標識的權限,而將設備標識的產生統一放在了網路端的安全平台,由安全平台統一維護各設備標識,也就是說,由安全平台統一維護設備身份合法性。 It can be seen from the process shown in Figure 2 that the manufacturer no longer has the authority to generate device identifications, but unified the generation of device identifications on the security platform of the network side, and the security platform maintains each device identification uniformly. The security platform uniformly maintains the legitimacy of device identities.
為了提升產生設備標識流程中的安全性,可以更具體地採用如圖3中所示流程。圖3為本發明實施例提供的一個詳細方法流程圖,如圖3中所示,該方法可以具體包括以下步驟:在301中,廠商管理設備產生公鑰-私鑰對。 In order to improve the security in the process of generating device identification, the process shown in FIG. 3 can be more specifically adopted. Fig. 3 is a detailed flowchart of a method provided by an embodiment of the present invention. As shown in Fig. 3, the method may specifically include the following steps: In 301, the manufacturer management device generates a public key-private key pair.
在302中,廠商管理設備將待分配標識的設備資訊與公鑰攜帶在標識分配請求中發送給安全平台。 In 302, the manufacturer management device carries the device information and the public key of the identification to be allocated in the identification allocation request and sends it to the security platform.
在303中,安全平台針對待分配標識的設備分別產生唯一的設備標識並產生許可資訊。 In 303, the security platform generates unique device identifiers for the devices to be assigned identifiers and generates license information.
標識分配請求中可以攜帶待分配標識的設備數量資訊,如果是多於一個待分配標識的設備,例如n個,那麼安全平台產生n個設備標識,可以針對各待分配標識的設備分別產生許可資訊,也可以針對該n個待分配的設備產生一份許可資訊,在安全平台維護設備標識與許可資訊之間的對應關係。在本發明實施例中較佳產生一份許可資訊的方式。 The identification allocation request can carry information about the number of devices to be allocated with identifications. If it is more than one device to be allocated with identifications, such as n, then the security platform generates n device identifications, which can generate permission information for each device to be allocated with identifications. , It is also possible to generate a piece of permission information for the n devices to be allocated, and maintain the corresponding relationship between the device identification and the permission information on the security platform. In the embodiment of the present invention, a method of generating a piece of permission information is preferable.
具體在產生標識資訊時,可以按照預設的標識產生規則,產生對於各設備而言是唯一的,能夠與其他設備相區別的資訊。下面舉一個標識產生規則的實例:產生的設備標識可以由17個字符構成,採用8個字節儲存。格式可以採用:Y-AAAA-BBBB-XXXXXXXX Specifically, when generating identification information, according to preset identification generation rules, information that is unique to each device and can be distinguished from other devices can be generated. Here is an example of an identification generation rule: the generated device identification can be composed of 17 characters and is stored in 8 bytes. The format can be adopted: Y-AAAA-BBBB-XXXXXXXX
其中,第一個字符“Y”可以採用固定字符,作為設備標識的標識符。 Among them, the first character "Y" can use a fixed character as the identifier of the device identification.
四個字符“AAAA”可以採用十六進制字符,代表廠商編號。 The four characters "AAAA" can use hexadecimal characters to represent the manufacturer number.
四個字符“BBBB”可以採用十六進制字符,代表待分配設備的晶片型號。當然,也可以採用諸如系統版本號等。 The four characters "BBBB" can use hexadecimal characters to represent the chip model of the device to be allocated. Of course, the system version number can also be used.
最後八個字符“XXXXXXXX”可以採用十六進制字符,由一串隨機數組成。 The last eight characters "XXXXXXXX" can use hexadecimal characters and consist of a string of random numbers.
上面僅僅是本發明實施例所列舉的一個實例,也可以 採用其他長度的字符,其中的部分內容也可以採用其他設備資訊。 The above is only an example listed in the embodiment of the present invention, and characters of other lengths may also be used, and part of the content may also use other device information.
許可資訊可以依據日期、設備資訊、廠商資訊、隨機數等中的一種或任意組合產生。除了在本步驟中實時產生許可資訊之外,還可以預先維護一個許可資訊池,在本步驟中從許可資訊池中獲取一個標識為可分配的許可資訊,然後將該許可資訊在許可資訊池中標識為不可分配。在後續步驟309完成對該許可資訊對應的設備資訊的分配後,可以將該許可資訊進行回收,即在許可資訊池中將該許可資訊重新標識為可分配。 The license information can be generated based on one or any combination of date, equipment information, manufacturer information, random numbers, etc. In addition to real-time generation of license information in this step, a license information pool can also be maintained in advance. In this step, a license information identified as assignable is obtained from the license information pool, and then the license information is stored in the license information pool Identified as not assignable. After the distribution of the device information corresponding to the license information is completed in the subsequent step 309, the license information can be recycled, that is, the license information is re-marked as distributable in the license information pool.
在304中,安全平台利用標識分配請求攜帶的公鑰對許可資訊進行加密後發送給廠商管理設備。 In 304, the security platform encrypts the license information with the public key carried in the identification allocation request and sends it to the manufacturer management device.
在305中,廠商管理設備將加密的許可資訊以及私鑰提供給標識寫入設備。 In 305, the manufacturer management device provides the encrypted license information and the private key to the identification writing device.
在306中,標識寫入設備利用私鑰對加密的許可資訊進行解密,得到解密後的許可資訊。 In 306, the identification writing device uses the private key to decrypt the encrypted license information to obtain the decrypted license information.
在307中,將解密後的許可資訊發送給安全平台。 In 307, the decrypted license information is sent to the security platform.
需要說明的是,上述對許可資訊進行的加解密過程是為了保證許可資訊的安全性,但本發明並不限於這種方式,也可以發送和接收未進行加密處理的許可資訊。 It should be noted that the above encryption and decryption process of the license information is to ensure the security of the license information, but the present invention is not limited to this method, and the license information without encryption processing can also be sent and received.
在308中,安全平台判斷接收到的許可資訊是否與產生的許可資訊一致,如果一致,則執行309。如果不一致,則結束流程,或者向廠商管理設備或標識寫入設備返回錯誤提示資訊。 In 308, the security platform determines whether the received license information is consistent with the generated license information, and if it is consistent, executes 309. If they are inconsistent, end the process, or return an error message to the manufacturer's management device or logo writing device.
在309中,安全平台將許可資訊對應的設備標識發送給標識寫入設備。 In 309, the security platform sends the device identification corresponding to the permission information to the identification writing device.
在310中,標識寫入設備將設備標識燒錄至待分配標識的設備晶片。 In 310, the identification writing device burns the device identification to the device chip to which the identification is to be assigned.
在步驟309中,安全平台還可以進一步產生密鑰資訊,將該密鑰資訊中的全部或部分連同設備標識一起發送給標識寫入設備,由標識寫入設備將接收到的設備標識和密鑰資訊都燒錄至待分配標識的設備晶片。其中安全平台可以產生一個密鑰,除了自身維護該密鑰之外,將該密鑰連同設備資訊發送給標識寫入設備。安全平台也可以產生公鑰-私鑰對,除了自身維護該公鑰-私鑰對之外,將公鑰或者私鑰連同設備標識發送給標識寫入設備以寫入設備。 In step 309, the security platform may further generate key information, and send all or part of the key information together with the device identification to the identification writing device, and the identification writing device will receive the received device identification and key The information is burned to the device chip to be assigned a logo. The security platform can generate a key, and in addition to maintaining the key by itself, the key and device information are sent to the identification writing device. The security platform can also generate a public key-private key pair. In addition to maintaining the public key-private key pair, the security platform sends the public key or private key together with the device identification to the identification writing device for writing to the device.
另外,為了保證安全,可以將標識資訊連同密鑰資訊一起寫入設備的安全儲存。安全儲存可以是利用諸如ARM TrustZone或Secure Element或TI M-Shield等機制在硬體上隔離出的安全區域,也可以是利用虛擬化機制隔離出一個獨立的安全環境,安全儲存保證了存入的密鑰資訊以及設備標識不可篡改和擦除。 In addition, to ensure security, the identification information can be written into the secure storage of the device along with the key information. Secure storage can be a secure area isolated on the hardware using mechanisms such as ARM TrustZone or Secure Element or TI M-Shield, or it can be a virtualized mechanism to isolate an independent secure environment, and secure storage guarantees storage. The key information and device identification cannot be tampered with or erased.
另外,需要說明的是,在圖3所示的步驟301中,廠商管理設備實際上是產生並維護了密鑰資訊,公鑰-私鑰對是採用非對稱加密算法時對應的密鑰資訊。本發明實施例中也可以採用對稱算法,此時廠商管理設備在步驟301中可以產生一個密鑰,在步驟302中將該密鑰攜帶在標識分配請求中發送給安全平台。安全平台在步驟304中利用 該密鑰對許可資訊進行加密後發送給廠商管理設備;然後在步驟305中廠商管理設備再將該密鑰提供給標識寫入設備,以便標識寫入設備在步驟306中利用該密鑰對許可資訊進行解密。 In addition, it should be noted that in step 301 shown in FIG. 3, the manufacturer management device actually generates and maintains key information, and the public key-private key pair is the corresponding key information when the asymmetric encryption algorithm is used. In the embodiment of the present invention, a symmetric algorithm may also be used. In this case, the manufacturer management device may generate a key in step 301, and in step 302, the key is carried in the identification allocation request and sent to the security platform. The security platform encrypts the license information with the key in step 304 and sends it to the manufacturer management device; then, in step 305, the manufacturer management device provides the key to the identity writing device, so that the identity writing device is in step 306 Use the key to decrypt the license information.
以上是對本發明所提供方法進行的描述,下面結合實施例對本發明所提供的裝置進行詳細描述。 The above is a description of the method provided by the present invention, and the device provided by the present invention will be described in detail below in conjunction with embodiments.
圖4為本發明實施例提供的一種裝置結構圖,該裝置可以設置於上述安全平台,如圖4中所示,該裝置可以包括:接收單元01、分配單元02和發送單元03,還可以進一步包括加密單元04、驗證單元05和維護單元06。其中上述各組成單元的主要功能如下: Fig. 4 is a structural diagram of a device provided by an embodiment of the present invention. The device can be set on the above-mentioned security platform. As shown in Fig. 4, the device can include: a receiving
接收單元01接收標識分配請求,該標識分配請求可以是廠商管理設備發送的。在接收單元01接收到標識分配請求後,分配單元02針對待分配標識的設備分配唯一的設備標識。 The receiving
其中,標識分配請求中可以包含待分配標識的設備資訊,分配單元02利用待分配標識的設備資訊,產生唯一的設備標識。其中待分配標識的設備資訊可以包括但不限於:待分配標識的設備的型號資訊、系統版本資訊以及晶片資訊等中的至少一種。具體地,可以預設的標識產生規則,產生唯一的設備標識。其中標識產生規則可以包括設備標識由設備標識符、廠商編號、待分配標識的設備資訊和隨機數依次組成。下面舉一個標識產生規則的實例: Wherein, the identification allocation request may include the equipment information of the identification to be allocated, and the
產生的設備標識可以由17個字符構成,採用8個字 節儲存。格式可以採用:Y-AAAA-BBBB-XXXXXXXX The generated device identification can be composed of 17 characters and stored in 8 bytes. The format can be adopted: Y-AAAA-BBBB-XXXXXXXX
其中,第一個字符“Y”可以採用固定字符,作為設備標識的標識符。 Among them, the first character "Y" can use a fixed character as the identifier of the device identification.
四個字符“AAAA”可以採用十六進制字符,代表廠商編號。 The four characters "AAAA" can use hexadecimal characters to represent the manufacturer number.
四個字符“BBBB”可以採用十六進制字符,代表待分配設備的晶片型號。當然,也可以採用諸如系統版本號等。 The four characters "BBBB" can use hexadecimal characters to represent the chip model of the device to be allocated. Of course, the system version number can also be used.
最後八個字符“XXXXXXXX”可以採用十六進制字符,由一串隨機數組成。 The last eight characters "XXXXXXXX" can use hexadecimal characters and consist of a string of random numbers.
上面僅僅是本發明實施例所列舉的一個實例,也可以採用其他長度的字符,其中的部分內容也可以採用其他設備資訊。 The above is only an example listed in the embodiments of the present invention, and characters of other lengths may also be used, and part of the content may also use other device information.
或者,分配單元02在接收單元01接收到標識分配請求後,從預先產生的設備標識(例如從設備標識池)中分配一個設備標識。 Alternatively, after the receiving
分配單元02可以在產生許可資訊時,利用日期、設備資訊、廠商資訊、隨機數中的一種或任意組合,產生許可資訊。也可以從預先產生的許可資訊池中獲取一個標識為可分配的許可資訊,並將該許可資訊在許可資訊池中標識為不可分配。 The
發送單元03負責發送設備標識,供標識寫入設備將設備標識寫入待分配標識的設備。 The sending
為了提高安全性,上述標識分配請求還可以包含密鑰 資訊。分配單元02可以進一步針對待分配標識的設備分配許可資訊。由發送單元03發送許可資訊。驗證單元05判斷接收單元01接收到的許可資訊與分配單元02分配的許可資訊是否一致,如果是,則觸發發送單元03發送設備標識。 In order to improve security, the above-mentioned identification distribution request may also include key information. The allocating
更進一步地,為了保證許可資訊的安全性,加密單元04可以利用密鑰資訊對許可資訊進行加密,由發送單元03將加密後的許可資訊返回給廠商管理設備,由廠商管理設備將加密後的許可資訊以及密鑰資訊提供給標識寫入設備。接收單元01接收標識寫入設備發送的許可資訊,該許可資訊由標識寫入設備對加密後的許可資訊進行解密得到。 Furthermore, in order to ensure the security of the license information, the
維護單元06可以保存針對待分配標識的設備分配的設備標識和許可資訊的對應關係,發送單元03將接收單元01接收到的許可資訊對應的設備標識發送給標識寫入設備。 The
具體地,上述標識分配請求包含的密鑰資訊可以是廠商管理設備產生的公鑰-私鑰對中的公鑰,廠商管理設備提供給標識寫入設備的密鑰資訊可以為公鑰-私鑰對中的私鑰。 Specifically, the key information contained in the aforementioned identity distribution request may be the public key in the public key-private key pair generated by the manufacturer management device, and the key information provided by the manufacturer management device to the identity writing device may be public key-private key The private key of the pair.
除此之外,分配單元02還可以產生密鑰資訊。發送單元03將該密鑰資訊的全部或部分連同設備標識一起發送給標識寫入設備。其中,若分配單元02在產生密鑰資訊時採用對稱加密算法,則發送單元03將該密鑰資訊的 全部連同設備標識一起發送給標識寫入設備。 In addition, the
若分配單元03在產生密鑰資訊時採用非對稱加密算法,則發送單元03將分配單元02針對許可資訊產生的私鑰或公鑰中的一個發送給標識寫入設備。 If the
圖5為本發明實施例提供的另一種裝置結構圖,該裝置可以設置於廠商管理設備,如圖5中所示,該裝置可以包括請求單元11,還可以進一步包括密鑰維護單元12、接收單元13和提供單元14。 Fig. 5 is a structural diagram of another apparatus provided by an embodiment of the present invention. The apparatus can be set in a manufacturer’s management equipment. As shown in Fig. 5, the apparatus may include a
請求單元11負責向安全平台發送標識分配請求,以請求安全平台針對待分配標識的設備產生唯一的設備標識。其中標識分配請求可以包含待分配標識的設備資訊。待分配標識的設備資訊可以包括諸如待分配標識的設備的型號資訊、系統版本資訊以及晶片資訊等中的至少一種。 The
密鑰維護單元12負責維護密鑰資訊,並將該密鑰資訊攜帶在標識分配請求中。接收單元13接收安全平台返回的利用密鑰資訊加密後的許可資訊,由提供單元14將加密後的許可資訊以及密鑰資訊提供給標識寫入設備。 The
密鑰維護單元12可以採用對稱加密算法,那麼維護的密鑰資訊就可以是一個密鑰。也可以採用非對稱算法,那麼密鑰維護單元12可以產生並維護公鑰-私鑰對,此時標識分配請求包含的密鑰資訊為公鑰-私鑰對中的公鑰,提供單元14提供給標識寫入設備的密鑰資訊為公鑰-私鑰對中的私鑰。 The
圖6為本發明實施例提供的再一種裝置結構圖,該裝 置可以設置於標識寫入設備,如圖6中所以,該裝置可以包括:接收單元21和寫入單元22,還可以進一步包括:解密單元23和發送單元24。其中各組成單元的主要功能如下:接收單元21負責接收安全平台針對待分配標識的設備產生的唯一的設備標識。寫入單元22負責將設備標識寫入待分配標識的設備。 Fig. 6 is a structural diagram of yet another apparatus provided by an embodiment of the present invention. The apparatus may be set in an identification writing device. As shown in Fig. 6, the apparatus may include: a receiving
由於安全平台在產生設備標識時,還會產生許可資訊,並會利用廠商管理設備發送的密鑰資訊對產生的許可資訊進行加密,因此接收單元21還可以接收廠商管理設備發送的加密後的許可資訊以及密鑰資訊,解密單元23利用該密鑰資訊對加密後的許可資訊進行解密後,由發送單元24將解密得到的許可資訊發送給安全平台。安全平台驗證接收到的許可資訊與自己產生的許可資訊一致後,將對應的設備標識發送給標識寫入設備。 Since the security platform also generates license information when generating the device identification, and encrypts the generated license information with the key information sent by the manufacturer's management device, the receiving
另外,安全平台還可以產生並維護密鑰資訊,在發送設備標識的同時發送該密鑰資訊中的全部或部分。因此,接收單元21還可以接收連同設備標識一起發送的密鑰資訊。由寫入單元22將密鑰資訊也寫入待分配標識的設備。 In addition, the security platform can also generate and maintain key information, and send all or part of the key information while sending the device identification. Therefore, the receiving
上述的標識寫入設備可以是生產線中的燒錄工具,也就是說,寫入單元22可以採用將設備標識燒錄至待分配標識的設備晶片中的方式。 The above-mentioned identification writing device may be a burning tool in a production line, that is, the
需要說明的是,本發明上述實施例中,廠商管理設 備、標識分配設備以及標識寫入設備之間的通訊可以是直接的資訊發送,也可以經由網路中的其他設備進行的資訊發送,在本發明實施例中不做特別的限制。 It should be noted that, in the above-mentioned embodiments of the present invention, the communication between the manufacturer management device, the identification distribution device, and the identification writing device can be direct information transmission, or information transmission via other devices in the network. There is no particular limitation in the embodiment of the present invention.
對於採用本發明實施例提供的上述方法、裝置和系統產生的設備標識可以供安全平台對設備的身份進行合法性認證。如果設備上報的設備標識是安全平台產生並維護的設備標識,則確定該設備標識對應的設備為合法設備。這一認證可以廣泛地應用於多種業務場景,包括但不限於設備啟動流程、業務資料下發流程、設備資料儲存於雲端的流程;等等,只有合法身份的設備才能夠被啟動,只有針對合法身份的設備才能夠進行業務資料下發,只有合法身份的設備資料才能夠享受儲存於雲端的服務,等等。 The device identification generated by the foregoing method, device, and system provided by the embodiments of the present invention can be used by the security platform to verify the legality of the device's identity. If the device identification reported by the device is a device identification generated and maintained by the security platform, the device corresponding to the device identification is determined to be a legal device. This authentication can be widely used in a variety of business scenarios, including but not limited to the device startup process, the business data issuance process, and the device data storage process in the cloud; etc., only legally-identified devices can be activated, and only for legal Only the equipment with the identity can deliver the business data, and only the equipment with the legal identity can enjoy the service stored in the cloud, and so on.
本發明實施例中所涉及的待分配標識的設備可以是諸如手機、電腦、智慧家居設備、可穿戴設備、智慧醫療器械等。其中電腦可以包括但不限於PC、筆記本電腦、平板電腦等。智慧家居設備可以包括但不限於智慧電視、智慧空調、智慧加濕器、智慧熱水器、智慧廚電設備、智慧門窗、智慧空氣淨化器等。可穿戴設備可以包括但不限於:智慧手環、智慧手錶、智慧眼鏡等等。智慧醫療器械可以包括但不限於:智慧血壓計、智慧體重計、智慧血糖儀、智慧按摩椅等。 The devices to be assigned identifiers involved in the embodiments of the present invention may be, for example, mobile phones, computers, smart home devices, wearable devices, smart medical devices, and the like. The computer may include, but is not limited to, a PC, a notebook computer, a tablet computer, etc. Smart home appliances may include, but are not limited to, smart TVs, smart air conditioners, smart humidifiers, smart water heaters, smart kitchen appliances, smart doors and windows, smart air purifiers, etc. Wearable devices may include, but are not limited to: smart bracelets, smart watches, smart glasses, and so on. Smart medical devices may include, but are not limited to: smart blood pressure monitors, smart weight scales, smart blood glucose meters, smart massage chairs, etc.
另外,對於安全平台而言,可以由一個伺服器完成上述功能,也可以由一個伺服器聯盟來完成上述功能。下面對以伺服器聯盟的實現架構進行描述。 In addition, for the security platform, the above functions can be completed by a server, or by a server alliance. The following describes the implementation architecture of the server alliance.
圖7為本發明實施例提供的一種安全平台的伺服器聯盟架構圖,如圖7中所示,該安全平台可以包括頒發中心和各級分發中心,圖7中以兩級分發中心為例。 FIG. 7 is a server alliance architecture diagram of a security platform provided by an embodiment of the present invention. As shown in FIG. 7, the security platform may include an issuance center and a distribution center at all levels. In FIG. 7, a two-level distribution center is taken as an example.
其中頒發中心負責下發標識產生規則給各級分發中心,由各級分發中心負責接收來自廠商的標識分配請求,然後產生設備標識併發送給設備寫入設備。另外,各級分發中心可以將產生的設備標識上報至頒發中心進行統一備份。這種實現方式下,頒發中心實際上將設備標識的產生權限給各級分發中心,頒發中心僅負責制定和下發標識產生規則以及對設備標識進行統一備份。 Among them, the issuing center is responsible for issuing identification generation rules to distribution centers at all levels, and the distribution centers at all levels are responsible for receiving identification allocation requests from manufacturers, and then generating device identifications and sending them to the device writing device. In addition, the distribution centers at all levels can report the generated device identification to the issuance center for unified backup. In this way of implementation, the issuing center actually assigns the generation authority of the device identification to the distribution centers at all levels, and the issuing center is only responsible for formulating and issuing identification generation rules and uniform backup of the device identification.
其中,頒發中心在下發設備產生規則給各級分發中心時,可以將設備標識的長度、各部分所對應的內容等下發給各級分發中心。仍以上面實施例中所舉的格式“Y-AAAA-BBBB-XXXXXXXX”為例,在將該格式下發給各級分發中心之外,還可以對各級分發中心所採用的隨機數“XXXXXXXX”的號段(即範圍)進行下發,各級分發中心可以在對應的號段內產生隨機數並用以產生設備標識。 Among them, when issuing the equipment generation rules to the distribution centers at all levels, the issuance center can issue the length of the device identification and the content corresponding to each part to the distribution centers at all levels. Still taking the format "Y-AAAA-BBBB-XXXXXXXX" in the above embodiment as an example, in addition to distributing the format to the distribution centers at all levels, the random number "XXXXXXXX" used by the distribution centers at all levels can also be used. "" number segment (that is, range) is issued, and the distribution centers at all levels can generate random numbers in the corresponding number segment and use it to generate equipment identification.
這種分布式地實現方式將對一台伺服器的效能壓力分擔到多台伺服器上,也同時能夠對表徵設備身份的設備標識進行備份,提高安全性。 This distributed implementation will share the performance pressure of one server to multiple servers, and at the same time, it can back up the device identification that characterizes the device's identity, and improve security.
還存在另外一種實現方式,各級分發中心負責接收來自廠商管理設備的標識分配請求,將該標識分配請求轉發給頒發中心,由頒發中心按照標識產生規則產生設備標 識,再經由各級分發中心轉發給標識寫入設備。 There is another implementation method. The distribution centers at all levels are responsible for receiving the identification allocation request from the manufacturer's management equipment, and forward the identification allocation request to the issuing center. The issuing center generates the device identification according to the identification generation rules, and then forwards it through the distribution centers at all levels Write the device to the logo.
在本發明所提供的幾個實施例中,應該理解到,所揭露的系統,裝置和方法,可以通過其它的方式實現。例如,以上所描述的裝置實施例僅僅是示意性的,例如,所述單元的劃分,僅僅為一種邏輯功能劃分,實際實現時可以有另外的劃分方式。 In the several embodiments provided by the present invention, it should be understood that the disclosed system, device, and method may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division, and there may be other division methods in actual implementation.
所述作為分離部件說明的單元可以是或者也可以不是實體上分開的,作為單元顯示的部件可以是或者也可以不是實體單元,即可以位於一個地方,或者也可以分佈到多個網路單元上。可以根據實際的需要選擇其中的部分或者全部單元來實現本實施例方案的目的。 The unit described as a separate component may or may not be physically separated, and the component displayed as a unit may or may not be a physical unit, that is, it may be located in one place, or it may be distributed to multiple network units . Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本發明各個實施例中的各功能單元可以整合在一個處理單元中,也可以是各個單元單獨實體存在,也可以兩個或兩個以上單元整合在一個單元中。上述整合的單元既可以採用硬體的形式實現,也可以採用硬體加軟體功能單元的形式實現。 In addition, the functional units in the various embodiments of the present invention may be integrated into one processing unit, or each unit may exist separately, or two or more units may be integrated into one unit. The above-mentioned integrated unit can be realized either in the form of hardware, or in the form of hardware plus software functional units.
上述以軟體功能單元的形式實現的整合的單元,可以儲存在一個電腦可讀取儲存介質中。上述軟體功能單元儲存在一個儲存介質中,包括若干指令用以使得一台電腦設備(可以是個人電腦,伺服器,或者網路設備等)或處理器(processor)執行本發明各個實施例所述方法的部分步驟。而前述的儲存介質包括:USB隨身碟、行動硬碟、唯讀記憶體(Read-Only Memory,ROM)、隨機存取記憶體(Random Access Memory,RAM)、磁碟或者光碟等各 種可以儲存程序代碼的介質。 The above-mentioned integrated unit implemented in the form of a software functional unit can be stored in a computer readable storage medium. The above-mentioned software functional unit is stored in a storage medium, and includes a number of instructions to make a computer device (which can be a personal computer, a server, or a network device, etc.) or a processor to execute the various embodiments of the present invention Part of the method. The aforementioned storage media include: USB flash drives, mobile hard drives, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disks or optical disks, etc., which can store programs The medium of the code.
以上所述僅為本發明的較佳實施例而已,並不用以限制本發明,凡在本發明的精神和原則之內,所做的任何修改、等同替換、改進等,均應包含在本發明保護的範圍之內。 The above are only the preferred embodiments of the present invention and are not intended to limit the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included in the present invention. Within the scope of protection.
Claims (44)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106102221A TWI729061B (en) | 2017-01-20 | 2017-01-20 | Method, device and system for generating equipment identification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106102221A TWI729061B (en) | 2017-01-20 | 2017-01-20 | Method, device and system for generating equipment identification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201828148A TW201828148A (en) | 2018-08-01 |
| TWI729061B true TWI729061B (en) | 2021-06-01 |
Family
ID=63960563
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW106102221A TWI729061B (en) | 2017-01-20 | 2017-01-20 | Method, device and system for generating equipment identification |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI729061B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113158261B (en) * | 2021-04-28 | 2022-12-06 | 武汉嘟嘟有位科技有限公司 | Method and device for programming equipment codes in batch and computer equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1494032A (en) * | 2003-07-10 | 2004-05-05 | 邱广华 | Method of rapidly obtaining object information using network technology |
| CN1598735A (en) * | 2003-09-18 | 2005-03-23 | 三星电子株式会社 | Method of granting drm license to support plural devices |
| CN102055811A (en) * | 2009-10-27 | 2011-05-11 | 深圳Tcl新技术有限公司 | Method and system for writing equipment ID |
| TWM468695U (en) * | 2013-07-12 | 2013-12-21 | Prec Machinery Res & Dev Ct | Cloud connection monitoring system for processing equipment |
| US20150061829A1 (en) * | 2013-09-05 | 2015-03-05 | At&T Intellectual Property I, Lp | System and method for managing functional features of electronic devices |
-
2017
- 2017-01-20 TW TW106102221A patent/TWI729061B/en not_active IP Right Cessation
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1494032A (en) * | 2003-07-10 | 2004-05-05 | 邱广华 | Method of rapidly obtaining object information using network technology |
| CN1598735A (en) * | 2003-09-18 | 2005-03-23 | 三星电子株式会社 | Method of granting drm license to support plural devices |
| CN102055811A (en) * | 2009-10-27 | 2011-05-11 | 深圳Tcl新技术有限公司 | Method and system for writing equipment ID |
| TWM468695U (en) * | 2013-07-12 | 2013-12-21 | Prec Machinery Res & Dev Ct | Cloud connection monitoring system for processing equipment |
| US20150061829A1 (en) * | 2013-09-05 | 2015-03-05 | At&T Intellectual Property I, Lp | System and method for managing functional features of electronic devices |
Also Published As
| Publication number | Publication date |
|---|---|
| TW201828148A (en) | 2018-08-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106603586B (en) | Method, device and system for generating equipment identifier | |
| WO2017063523A1 (en) | Service authentication method, apparatus and system | |
| CN113132103B (en) | Data cross-domain security sharing system and method | |
| CN101872399B (en) | Dynamic digital copyright protection method based on dual identity authentication | |
| CN100552793C (en) | Method and apparatus and pocket memory based on the Digital Right Management playback of content | |
| US20030191946A1 (en) | System and method controlling access to digital works using a network | |
| TW201507495A (en) | Apparatus and methods for distributing and storing electronic access clients | |
| US11831753B2 (en) | Secure distributed key management system | |
| JP2008501177A (en) | License management in an information distribution system that protects privacy | |
| KR20050074494A (en) | Method and device for authorizing content operations | |
| TW200903215A (en) | Program update method and server | |
| KR20110055510A (en) | Backing up digital content that is stored in a secured storage device | |
| JP2005038411A (en) | Equipment authentication information incorporating system, terminal, equipment authentication information processing method, equipment authentication information processing program, providing server, equipment authentication information providing method, equipment authentication information providing program and storage medium | |
| JP3857610B2 (en) | Succession assurance device, communication device, program, and recording medium | |
| KR20040030454A (en) | Content usage authority management system and management method | |
| JP2018525947A (en) | Confirmation information update method and apparatus | |
| WO2002080448A1 (en) | Information processing apparatus | |
| US20160072772A1 (en) | Process for Secure Document Exchange | |
| CN104104692A (en) | Virtual machine encryption method, decryption method and encryption-decryption control system | |
| CN107247891B (en) | Method for realizing software distribution control by adopting hybrid encryption algorithm | |
| CN111367834A (en) | Self-encrypting driver (SED) | |
| CN104092702A (en) | Network security verification method and system for distributed system | |
| JP2009033721A (en) | Group subordinate terminal, group administrative terminal, server, key updating system and key updating method thereof | |
| JP2007226470A (en) | Authority management server, authority management method, and authority management program | |
| JP2019097148A (en) | Authentication method, authentication device, computer program, and system manufacturing method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MM4A | Annulment or lapse of patent due to non-payment of fees |