WO2017008640A1 - Procédé d'émission de jeton d'accès, et dispositif associé - Google Patents

Procédé d'émission de jeton d'accès, et dispositif associé Download PDF

Info

Publication number
WO2017008640A1
WO2017008640A1 PCT/CN2016/087973 CN2016087973W WO2017008640A1 WO 2017008640 A1 WO2017008640 A1 WO 2017008640A1 CN 2016087973 W CN2016087973 W CN 2016087973W WO 2017008640 A1 WO2017008640 A1 WO 2017008640A1
Authority
WO
WIPO (PCT)
Prior art keywords
access token
resource
entity
access
token
Prior art date
Application number
PCT/CN2016/087973
Other languages
English (en)
Chinese (zh)
Inventor
周巍
Original Assignee
电信科学技术研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 电信科学技术研究院 filed Critical 电信科学技术研究院
Publication of WO2017008640A1 publication Critical patent/WO2017008640A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/16Central resource management; Negotiation of resources or communication parameters, e.g. negotiating bandwidth or QoS [Quality of Service]

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to an access token issuance method and related device.
  • OneM2M the Internet of Things standardization organization, is dedicated to developing technical specifications for constructing a common Machine-To-Machine (M2M) Service Layer.
  • M2M Machine-To-Machine
  • the oneM2M functional architecture is shown in Figure 1. Three basic entities are defined:
  • an Application Entity is located at the application layer, and the entity can implement an M2M application service logic.
  • An application service logic can reside in multiple M2M nodes, or multiple execution instances in a single node. Each execution instance of the application service logic is referred to as an application entity, and each application entity is identified by a unique AE identity (AE-ID).
  • a fleet tracking application instance For example, a fleet tracking application instance, a remote blood glucose monitoring application instance, a remote power metering instance, or a control application instance are all application entities.
  • the Common Service Entity a public service entity consists of a set of common service functions in the M2M environment.
  • the public service function is exposed to other entities through the reference point Mca and the reference point Mcc.
  • the reference point Mcn is used to access the underlying network service entity.
  • Each public service entity is identified by a unique CSE-ID.
  • NSE Underlying Network Services Entity
  • an underlying network service entity provides underlying network services to multiple CSEs, such as providing device management, location services, and device triggering services.
  • oneM2M implements service layer resource sharing and interaction through operations on standardized resource trees.
  • the oneM2M resource tree exists in the CSE defined by the oneM2M system.
  • CSEBase1 represents a CSE root resource ⁇ CSEBase>
  • CSE1 represents a resource ⁇ remoteCSE>
  • APP1 represents a resource ⁇ AE>
  • CONT1 and CONT2 respectively represent a resource ⁇ container>
  • ACP1 and ACP2 respectively represent a resource ⁇ accessControlPolice>.
  • operations such as Create (C, C, Retrieve, R), Update (U), and Delete (D) can be performed.
  • the resource related to the authorization defined by oneM2M is the access control policy resource ⁇ accessControlPolicy>, which defines an Access Control Policy (ACP), and the ⁇ accessControlPolicy> resource is uniquely identified by the resource identity (ID).
  • ACP Access Control Policy
  • ID resource identity
  • Other resources specify the applicable access control policy through the accessControlPolicyIDs attribute in the resource.
  • the service subscription information in the oneM2M system is stored in the ⁇ m2mServiceSubscriptionProfile> resource.
  • the serviceRoles attribute of the resource stores a list of serviceable service IDs (Service Role IDs), and the AE obtains the corresponding contract service by acquiring the contractable service role. It is the authority to manage the M2M Node (M2M Node) described in the ⁇ serviceSubscribedNode> sub-resource in the ⁇ m2mServiceSubscriptionProfile> resource.
  • OneM2M defines three resource types:
  • a virtual resource does not have a specific resource structure and resource attributes, and is mainly used to trigger a specific process
  • Announced Resource has a specific resource structure and resource attributes. This resource is a copy of some content in common resources on other entities. The main purpose is to facilitate resource discovery.
  • An embodiment of the present invention provides an access token issuance method and related device, which are used to provide a specific authorization mechanism in a oneM2M system.
  • an access token issuance method including:
  • Receiving an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token Description;
  • the access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token resource is Access common resources under the token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates that the access token root resource and the access order are allowed to be accessed.
  • the entity of the virtual resource under the root resource is not limited to.
  • the method after receiving an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, the method further includes:
  • the access token resource has a common attribute of a common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, where the expired time attribute is used to specify a validity period of the access token resource.
  • the issuer attribute is used to indicate an entity that generates the access token
  • the holder attribute is used to indicate an entity requesting and obtaining the access token
  • the token attribute is used to store the access token.
  • the method further includes: before generating an access token for the initiating entity, according to the access token authorization policy and the rights description information, the method further includes:
  • the access token authorization policy is obtained from an access token authorization policy entity.
  • the access token further includes authentication information, where the authentication information includes an entity identifier that generates the access token, an identifier of the initiating entity, and an expiration time;
  • the authorization information of the access token includes a service role and/or an access control policy of the originating entity.
  • generating an access token for the initiating entity according to the access token authorization policy and the permission description information including:
  • an access token issuance method including:
  • the access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token resource is the access A common resource under the token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute specifying an access control policy, and the access control policy specified by the public attribute indicates that access to the An entity that accesses the token root resource and the virtual resource under the access token root resource.
  • the access token resource has a common attribute of a common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, where the expired time attribute is used to specify a validity period of the access token resource.
  • the issuer attribute is used to indicate an entity that generates the access token
  • the holder attribute is used to indicate an entity that requests and obtains the access token
  • the token attribute is used to store the access token .
  • the method after receiving the address information of the access token resource created by the authorized entity under the access token root resource, the method further includes:
  • the access token further includes authentication information, where the authentication information includes an entity identifier that generates the access token, an entity identifier that requests and holds the access token, and an expiration time;
  • the authorization information of the access token includes a service role and/or an access control policy of the originating entity.
  • the method further includes:
  • an authorized entity including:
  • a receiving module configured to receive an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier and the request of the initiating entity Access permission description information of the access token;
  • a processing module configured to generate, according to the access token authorization policy and the rights description information, an access token, where the access token carries at least authorization information, and is generated under the access token root resource.
  • Access token resource of the access token the access token is stored in the access token resource;
  • a sending module configured to send the access token or address information of the access token resource to the initiating entity
  • the access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token is The resource is a common resource under the access token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates that the access token root resource and the access order are allowed to be accessed.
  • the entity of the virtual resource under the root resource is not limited to.
  • processing module is further configured to:
  • the access token resource has a common attribute of a common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, where the expired time attribute is used to specify a validity period of the access token resource.
  • the issuer attribute is used to indicate an entity that generates the access token
  • the holder attribute is used to indicate an entity that requests and obtains the access token
  • the token attribute is used to store the access token .
  • the processing module is further configured to: obtain the access token authorization policy from an access token authorization policy entity.
  • the access token further includes authentication information, where the authentication information includes an entity identifier that generates the access token, an identifier of the initiating entity, and an expiration time;
  • the authorization information of the access token includes a service role and/or an access control policy of the originating entity.
  • processing module is specifically configured to:
  • the sending module is further configured to:
  • the receiving module is further configured to:
  • an originating entity including:
  • a sending module configured to send, to the authorized entity, an access token resource creation request for the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token Permission description information;
  • a receiving module configured to receive an access token returned by the authorized entity, or receive address information of an access token resource created by the authorized entity under the access token root resource, where the access token resource is saved An access token, the access token carrying at least authorization information;
  • the access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token resource is the access A common resource under the token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates that the access token root resource and the access order are allowed to be accessed.
  • the entity of the virtual resource under the root resource is not limited to.
  • the access token resource has a common attribute of a common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, where the expired time attribute is used to specify a validity period of the access token resource.
  • the issuer attribute is used to indicate an entity that generates the access token
  • the holder attribute is used to indicate an entity that requests and obtains the access token
  • the token attribute is used to store the access token .
  • the acquisition module is also included for:
  • the receiving module After the receiving module receives the address information of the access token resource created by the authorized entity under the access token root resource, the access token is obtained according to the address information.
  • the access token further includes authentication information, where the authentication information includes an entity identifier that generates the access token, an entity identifier that requests and holds the access token, and an expiration time;
  • the authorization information of the access token includes a service role and/or an access control policy of the originating entity.
  • the sending module is further configured to:
  • an authorization entity including: a processor, a transceiver, and a memory;
  • the processor is configured to read a program in the memory and perform the following process:
  • an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the permission description information of the requested access token;
  • an originating entity including: a processor, a transceiver, and a memory;
  • the processor is configured to read a program in the memory and perform the following process:
  • an access token resource creation request for the access token issuing resource under the access token root resource to the authorized entity, where the access token resource creation request carries the permission description information of the requested access token;
  • the access token carries at least authorization information.
  • an access token root resource whose resource type is a common resource is defined under the CSE root resource, and an access token issuing resource whose resource type is a virtual resource is defined under the access token root resource.
  • FIG. 1 is a schematic diagram of a oneM2M functional architecture in the prior art
  • FIG. 2 is a schematic structural diagram of a oneM2M resource tree in the prior art
  • 3 is a schematic diagram of relationships between three resources defined in an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a basic structure of an ⁇ accessToken> resource according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of a process for an authorization entity to issue an access token according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of a process for an originating entity to request an access token according to an embodiment of the present invention
  • FIG. 7 is a schematic diagram of a process of using an access token by a managed entity according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of a basic process of issuing and using an access token according to an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of a specific implementation process of issuing and using an access token according to an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of another specific implementation process of issuing and using an access token according to an embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of an authorization entity according to an embodiment of the present invention.
  • FIG. 12 is a schematic structural diagram of another authorized entity according to an embodiment of the present invention.
  • FIG. 13 is a schematic structural diagram of an initiating entity according to an embodiment of the present invention.
  • FIG. 14 is a schematic structural diagram of another initiating entity according to an embodiment of the present invention.
  • three oneM2M resources are defined to implement an authorization access token (Access Token).
  • Access Token an authorization access token
  • the three oneM2M resources defined are: access token root resource ⁇ accessTokens>, access token issuance resource ⁇ accessTokenIssuing>, and access token resource ⁇ accessToken>.
  • the relationship between the three is shown in Figure 3.
  • the ⁇ accessTokens> resource is defined as a sub-resource of the CSE root resource ⁇ CSEBase>, the resource type is oneM2M common resource, and the ⁇ CSEBase> resource may have zero or more ⁇ accessTokens> resources.
  • the ⁇ accessTokens> resource has a common attribute (Universal Attribute) contained in the oneM2M common resource, and has a Common Attribute of the specified access control policy: accessControlPolicyIDs, and the access control of the virtual resource under the ⁇ accessTokens> resource is controlled by the
  • the public attribute determines that the AE entity and the CSE entity that allow access to the ⁇ accessTokens> resource and the virtual resource under it are defined in the access control policy specified by the public attribute.
  • the ⁇ accessTokenIssuing> resource is a sub-resource under the ⁇ accessTokens> resource, and an ⁇ accessTokens> resource has an ⁇ accessTokenIssuing> resource.
  • the resource type of the ⁇ accessTokenIssuing> resource is oneM2M virtual resource, so there is no resource attribute and no child resource.
  • the oneM2M virtual resource is mainly used to trigger a process.
  • a Create Request for the ⁇ accessTokenIssuing> resource will trigger an access token issuance process.
  • the access control of the ⁇ accessTokenIssuing> resource is determined by the access control policy specified by the accessControlPolicyIDs attribute of its parent resource ⁇ accessTokens>.
  • the accessControlPolicyIDs attribute specifies the AE entity and CSE entity that can access the ⁇ accessTokenIssuing> resource, that is, apply for an access token.
  • the ⁇ accessToken> resource is a sub-resource under the ⁇ accessTokens> resource, and an ⁇ accessTokens> resource can contain zero or more ⁇ accessToken> resources.
  • Each ⁇ accessToken> represents an access token (Access Token) issued by an authorized entity, and its resource type is oneM2M Normal Resource.
  • ⁇ accessToken> The basic structure of ⁇ accessToken> is shown in Figure 4.
  • the ⁇ accessToken> resource also contains the Common Attribute: expirationTime, including The newly defined 3 resource attributes.
  • expirationTime specifies the validity period of the resource, which is the same as the validity period of the access token.
  • the three newly defined resource attributes are:
  • Issuer The issuer of the access token, specifically the CSE identifier (CSE-ID) that generated the access token.
  • CSE-ID CSE identifier
  • the Holder The holder of the access token, specifically the AE identifier (AE-ID) or CES identifier (CSE-ID) that requests and holds the access token.
  • AE-ID AE identifier
  • CSE-ID CES identifier
  • Token Stores the access token issued.
  • Originator Entity The owner of the access token in the oneM2M system, specifically the AE entity or CSE entity in the oneM2M system that needs to access the resources in the managed entity;
  • Authorization Entity is the issuer of the access token in the oneM2M system, specifically the CSE entity with the access token issuing capability in the oneM2M system;
  • a user accessing a token in the oneM2M system, specifically a CSE entity providing resource access in the oneM2M system, which provides a resource access service for the initiating entity according to the access right described in the access token;
  • Access Token Authorization Policy Entity Provides an access token authorization policy for the authorized entity, and the access token authorization policy is used to determine the permission to write the access token;
  • the access token plaintext can be digitally signed and/or encrypted to generate an access token, or the access token can be decrypted and/or the digital signature verified to obtain the access token plaintext.
  • the access token in the embodiment of the present invention is defined as: carrying the authorization information applied in the oneM2M environment, and mainly includes a service role and/or an access control policy.
  • the service role carried in the access token is used for Role Based Access Control (RBAC); and is also used to carry authentication information, where the authentication information includes a CSE identifier (ie, an issuer identifier) that generates an access token. , the entity ID that requested and holds the access token (the holder's identity) and the timeout period.
  • RBAC Role Based Access Control
  • the escrow entity evaluates the resource access request of the initiating entity by using the role carried in the access token and the role-based access control policy stored locally by the escrow entity to determine whether to agree to the resource of the initiating entity. Access request.
  • the access control policy is access.
  • the token holder's private authorization policy the escrow entity uses the access control policy carried in the access token to evaluate the resource access request of the originating entity to determine whether to agree to the resource access request.
  • the escrow entity uses the role and the access control policy carried in the access token to evaluate the resource access request of the initiating entity to determine whether to agree to the resource access request of the initiating entity.
  • the specific format of the access token is not limited in the embodiment of the present invention.
  • the access token can be correctly used by the format of the access token between the authorized entity, the initiating entity and the escrow entity.
  • the scope of protection of the present invention is not limited by the specific format of the access token.
  • the detailed method for issuing an access token by an authorized entity is as follows:
  • Step 501 Receive an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access order The license description information of the card.
  • the access token root resource is a common resource under the CSE root resource, and the access token is issued as a virtual resource under the access token root resource.
  • the access control policy specified by the public attribute indicates that the access token root resource and the virtual resource under the access token root resource are allowed to be accessed. Entity, therefore, after the receiving entity sends an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, before the generating the access token for the initiating entity, according to the designation of the access token root resource
  • the public attribute of the access control policy determines that the initiating entity is allowed to access the virtual resource under the access token root resource.
  • a resource creation operation that issues a resource for an access token triggers an access token issuance process.
  • Step 502 Generate an access token for the initiating entity according to the access token authorization policy and the entitlement description information carried in the access token resource creation request, where the access token carries at least the authorization information, and is created under the access token root resource.
  • the access token resource of the generated access token, and the access token is stored in the access token resource.
  • the access token resource has a common attribute of the common resource and an expired time attribute, and is issued.
  • Owner attribute, holder attribute and token attribute, the expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate the entity that generated the access token, that is, the identifier of the authorized entity, and the holder attribute is used for
  • the access token generated by the authorized entity and the access token stored by the token attribute include authentication information in addition to the authorization information.
  • the authentication information includes an identifier of the authorized entity that generates the access token (ie, the issuer identifier), an identifier of the originating entity that requests and holds the access token (the holder identifier), and an expiration time, and the expiration time defines the access order.
  • the validity period of the card includes a service role of the initiating entity and/or an access control policy.
  • the access token authorization policy is saved in the access token authorization policy entity; the authorization entity obtains the access order from the access token authorization policy entity before generating the access token for the initiating entity according to the access token authorization policy and the rights description information. Card authorization strategy.
  • the access token authorization policy entity stores the correspondence between the access token authorization policy and the initiating entity and the authorized entity.
  • the access token authorization policy entity includes each authorized entity resource tree, which respectively corresponds to different authorized entities.
  • the number of authorized entity resources includes access token authorization policy resources of different initiating entities.
  • the privilege description information is used to describe the privilege of the requesting entity, and the privilege may be the requested service role, or the requested access control policy, or the service role and the access control policy.
  • the service role issued to the initiating entity in the authorization information is: the service role requested in the authorization description information and the access token authorization policy allows the service role issued to the initiating entity.
  • the access control policy issued to the initiating entity in the authorization information is: the authorization request information in the authorization description information and the access token authorization policy allows the access control policy corresponding to the authority used by the initiating entity.
  • the access token authorization policy is used to determine whether to issue an access token for the initiating entity, and to determine the permission to write the access token, that is, the authority issued to the initiator of the access token and the holder, the specific policy Those skilled in the art can apply the existing authorization policies to the present invention in combination with the specific application, and the scope of protection of the present invention is not limited thereto.
  • the authorization entity determines that the access token is not allowed to be issued for the initiating entity according to the access token authorization policy and the rights description information, and does not perform step 503 to return an error message to the initiating entity.
  • Step 503 Send the address information of the access token or the access token resource to the initiating entity.
  • the access token resource is a common resource under the access token root resource.
  • the authorization entity generates an access token plaintext according to the access token authorization policy and the rights description information, and sends the generated access token clear text to the security function entity, where the security function entity digitally signs the access token. And/or encrypting to obtain an access token and returning; the authorized entity receives the access token returned by the security function entity, and sends the access token to the initiating entity.
  • digital signature algorithm and the encryption algorithm specifically used by the security function entity are not limited, and existing digital signature algorithms and encryption algorithms can be used in the present invention, and the specific digital signature algorithm and encryption algorithm are not limited, and the present invention The scope of protection is not subject to this limitation.
  • the detailed method for the initiating entity to request an access token is as follows:
  • Step 601 Send an access token resource creation request for the access token issuing resource under the access token root resource to the authorized entity, where the access token resource creation request carries the identifier of the initiating entity and the permission description information of the requested access token. .
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates an entity that allows access to the access token root resource and the virtual resource under the access token root resource. .
  • the privilege description information is used to describe the privilege of the requesting entity, and the privilege may be the requested service role, or the requested access control policy, or the service role and the access control policy.
  • Step 602 Receive an access token returned by the authorized entity, or receive the address information of the access token resource created by the authorized entity under the access token root resource, where the access token is stored with an access token, and the access token carries at least Authorization information.
  • the access token root resource is a common resource under the CSE root resource, and the access token is issued as a virtual resource under the access token root resource, and the access token resource is an ordinary under the access token root resource. Resources.
  • the access token resource has a common attribute of the common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute.
  • the expired time attribute is used to specify the validity period of the access token resource
  • the issuer attribute is used to indicate the generation of the access order.
  • the entity of the card, the holder attribute is used to indicate the entity requesting and obtaining the access token, and the token attribute is used to store the access token.
  • the initiating entity if the initiating entity receives the address information of the access token resource created by the authorized entity under the access token root resource, the initiating entity obtains the access token according to the address information.
  • the access token carries the authentication information in addition to the authorization information, and the authentication information includes an entity identifier for generating an access token, an entity identifier for requesting and holding the access token, and an expiration time, and the authorization information includes a service role of the initiating entity. And/or access control policies.
  • the service role issued to the initiating entity in the authorization information is: the service role requested in the authorization description information and the access token authorization policy allows the service role issued to the initiating entity.
  • the access control policy issued to the initiating entity in the authorization information is: the authorization request information in the authorization description information and the access token authorization policy allows the access control policy corresponding to the authority used by the initiating entity.
  • the sending entity sends a resource access request to the authorized entity, where the resource access request carries the access token.
  • Step 701 Receive a resource access request sent by the initiating entity, where the resource access request carries an access token.
  • the access token carries at least the authorization information, and the authorization information includes a service role and/or an access control policy of the initiating entity.
  • the access token carries the authentication information in addition to the authorization information, and the authentication information includes an entity identifier that generates an access token, an entity identifier that requests and holds the access token, and an expiration time.
  • the escrow entity After the escrow entity obtains the access token in the resource access request, it determines whether the access token is valid, as follows:
  • Preset conditions can include the following conditions:
  • the entity identifier of the request carried in the access token and holding the access token is the same as the identity of the originating entity; and/or,
  • the access token does not exceed the expiration time carried in the access token, it is determined that the access token is valid.
  • step 702 if the escrow entity determines that the access token is invalid, step 702 is no longer performed, and an error message is returned to the initiating entity.
  • Step 702 Determine, according to the authorization information in the access token, that the resource access request of the initiating entity is within the authorization scope, and execute the resource access request of the initiating entity.
  • the authorization information includes only the service role
  • the locally saved service role-based access control policy is obtained according to the service role in the access token
  • the resource access request of the initiating entity is determined according to the service role-based access control policy. If the authorization information includes only the access control policy, the resource access request of the initiating entity is determined according to the access control policy in the access token; if the authorization information includes the service role and the access control policy, according to the access token
  • the service role and access control policy in the determination determines that the resource access request of the initiating entity is within the scope of authorization.
  • the escrow entity after obtaining the access token in the resource access request, sends the access token to the security authentication entity, and the security authentication entity decrypts and/or digitally signs the access token.
  • the authentication obtains the plaintext of the access token and returns; the escrow entity receives the plaintext of the access token returned by the security authentication entity, obtains the authorization information in the plaintext of the access token, and determines whether the resource access request of the originating entity is within the authorized scope according to the obtained authorization information. .
  • the authorized entity and the managed entity may be deployed in the same entity device or in different physical devices.
  • the security association is established by mutual authentication by using the method provided by oneM2M to ensure communication between the two entities communicating with each other. Integrity and confidentiality, specific through two-way recognition For the way to establish a security association, see the rules of oneM2M, which will not be detailed here.
  • the access token issuance and use process provided by the present invention is exemplified by two specific embodiments.
  • an oneM2M Infrastructure Node as an Authorized Entity issues an access token containing a Service Role to an Initiating Entity (AE-1); the Initiating Entity (AE-1) utilizes the The access token accesses the device management resource in the managed entity (CSE-1); the node where CSE-1 is located is Node-1.
  • the IN-CSE accessible security function entity and the CSE-1 accessible security function entity have a symmetric key Ks for access token encryption and decryption;
  • the IN-CSE accessible security function entity There is a private key Kprv for signing the access token plaintext;
  • the CSE-1 accessible security function entity has a public key certificate INcert for verifying the IN-CSE digital signature, which contains the public key Kpub that matches Kprv.
  • an ⁇ accessTokens-1> resource responsible for issuing an access token is created under the root resource ⁇ CSEBase> of the IN-CSE resource tree; resources such as ⁇ m2mServiceSubscriptionProfile>, ⁇ serviceSubscribedNode>, and ⁇ serviceSubscribedAppRule> are defined in the IN-CSE resource tree. , which describes the role and managed M2M Node (M2M Node) that the application service provider's application entity can have.
  • Step 901 AE-1 and IN-CSE establish a security association by mutual authentication
  • Step 902 The AE-1 sends an ⁇ accessToken> resource creation request to the IN-CSE to the sub-resource ⁇ accessTokenIssuing> of the ⁇ accessTokens-1> resource under the IN-CSE resource tree, where the request requires the node Node where the CSE-1 is located. -1 performs the device diagnostic function, that is, AE-1 wants to obtain an access token containing the "Device Diagnostics and Management" role;
  • Step 903 After the IN-CSE receives the request of the AE-1, the access token activated by the request is created. The process will do the following:
  • the required access token authorization policy from the IN-CSE resource tree as the access token authorization policy entity, that is, resources such as ⁇ m2mServiceSubscriptionProfile>, ⁇ serviceSubscribedNode>, and ⁇ serviceSubscribedAppRule> related to AE-1;
  • the security function entity is required to digitally sign the access token plaintext by using the private key Kprv, and then encrypt the access token plaintext and the signature result by using the symmetric key Ks to generate the access token AE-Token-1.
  • Step 904 The IN-CSE sends the generated access token AE-Token-1 to the AE-1.
  • Step 905 AE-1 and CSE-1 establish a security association by mutual authentication
  • Step 906 The AE-1 sends a device diagnostic request to the CSE-1 included in the Node-1, where the request includes an access token AE-Token-1;
  • Step 907 CSE-1 receives a device diagnosis request from AE-1, and requests a device diagnosis from the device Extract the access token AE-Token-1, and then do the following:
  • the security function entity is required to decrypt the access token by using Ks, and then use the public key Kpub in the INCR to verify the digital signature of the access token. If it is correct, proceed to the next step;
  • Step 908 CSE-1 returns the execution result to AE-1.
  • the authorized entity and the escrow entity are the same entity, that is, CSE-1.
  • the access token is issued and used with the first specific The process of the embodiment is similar except that:
  • the security mechanism for protecting the access token in the security function entity can adopt a simple symmetric key mechanism, that is, the integrity and confidentiality protection of the access token is implemented by using the symmetric key.
  • CSE-1 cannot issue an access token containing a Service Role.
  • an authorization entity is provided in the embodiment of the present invention.
  • the authorization entity mainly includes:
  • the receiving module 1101 is configured to receive an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token. Permission description information;
  • the processing module 1102 is configured to generate an access token for the initiating entity according to the access token authorization policy and the rights description information, where the access token carries at least the authorization information, and the access token of the generated access token is created under the access token root resource.
  • Card resource an access token is stored in the access token resource;
  • the sending module 1103 is configured to send the address information of the access token or the access token resource to the initiating entity.
  • the access token root resource is a common resource under the CSE root resource, and the access token is a virtual resource under the access token root resource, and the access token resource is an ordinary resource under the access token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates that the access token root resource and the virtual resource under the access token root resource are allowed to access. entity.
  • processing module 1102 is further configured to:
  • the access token resource has a common attribute of the common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, and the expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate The entity that generates the access token, the holder attribute is used to indicate the entity that requested and obtained the access token, and the token attribute is used to store the access token.
  • processing module 1102 is further configured to: obtain an access token authorization policy from an access token authorization policy entity.
  • the access token further carries the authentication information, where the authentication information includes an entity identifier that generates an access token, an identifier of the initiating entity, and an expiration time;
  • the authorization information of the access token includes the service role of the originating entity and/or the access control policy.
  • processing module 1102 is specifically configured to:
  • the sending module 1103 is also used to:
  • the receiving module 1101 is further configured to:
  • the authorized entity is a CSE entity.
  • an authorization entity is provided in the embodiment of the present invention.
  • the authorization entity mainly includes processing.
  • the device 1201 and the transceiver 1203 are configured to receive and transmit data under the control of the processor 1201, the preset program is saved in the memory 1202, and the processor 1201 is configured to read the program stored in the memory according to the program.
  • the program performs the following process:
  • an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token.
  • An access token is generated for the initiating entity according to the access token authorization policy and the rights description information, and the access token carries at least the authorization information, and the access token resource of the generated access token is created under the access token root resource, and the access token is used.
  • An access token is stored in the resource;
  • the address information of the access token or the access token resource is transmitted by the transceiver 1203 to the initiating entity.
  • the access token root resource is a common resource under the CSE root resource, and the access token is a virtual resource under the access token root resource, and the access token resource is an ordinary resource under the access token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates that the access token root resource and the virtual resource under the access token root resource are allowed to access. entity.
  • the processor 1201 determines, according to the public attribute of the specified access control policy of the access token root resource, that the initiating entity is allowed to access the virtual resource under the access token root resource.
  • the access token resource has a common attribute of the common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, and the expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate The entity that generates the access token, the holder attribute is used to indicate the entity that requested and obtained the access token, and the token attribute is used to store the access token.
  • the processor 1201 obtains an access token authorization policy from the access token authorization policy entity.
  • the access token further carries the authentication information, where the authentication information includes an entity identifier that generates an access token, an identifier of the initiating entity, and an expiration time;
  • the authorization information of the access token includes the service role of the originating entity and/or the access control policy.
  • the processor 1201 generates an access token plaintext according to the access token authorization policy and the rights description information, and sends the generated access token plaintext to the security function entity by the transceiver 1203, and the security function entity performs the access token plaintext.
  • the digital signature and/or encryption results in an access token and returns; the transceiver 1203 receives the access token returned by the security function entity.
  • the authorized entity is a CSE entity.
  • the bus architecture may include any number of interconnected buses and bridges, specifically linked by one or more processors represented by the processor and various circuits of memory represented by the memory.
  • the bus architecture can also link various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be further described herein.
  • the bus interface provides an interface.
  • the transceiver can be a plurality of components, including a transmitter and a transceiver, providing means for communicating with various other devices on a transmission medium.
  • the processor is responsible for managing the bus architecture and the usual processing, and the memory can store the data that the processor uses when performing operations.
  • an embodiment of the present invention provides an initiating entity.
  • the initiating entity mainly includes:
  • the sending module 1301 is configured to send, to the authorized entity, an access token resource creation request for the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token.
  • Permission description information
  • the receiving module 1302 is configured to receive an access token returned by the authorized entity, or receive address information of the access token resource created by the authorized entity under the access token root resource, where the access token includes an access token and an access token. Carry at least authorization information;
  • the access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is issued as a virtual resource under the access token root resource, and the access token resource is an ordinary resource under the access token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates an entity that allows access to the access token root resource and the virtual resource under the access token root resource. .
  • the access token resource has a common attribute of the common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, and the expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate the generation.
  • the entity that accesses the token, the holder attribute is used to indicate the entity that requested and obtained the access token, and the token attribute is used to store the access token.
  • the obtaining module 1303 is further included for:
  • the receiving module 1302 After receiving the address information of the access token resource created by the authorized entity under the access token root resource, the receiving module 1302 obtains the access token according to the address information.
  • the access token further carries the authentication information, where the authentication information includes an entity identifier that generates an access token, an entity identifier that requests and holds the access token, and an expiration time;
  • the authorization information of the access token includes the service role of the originating entity and/or the access control policy.
  • the sending module 1301 is further configured to:
  • a resource access request is sent, and the resource access request carries an access token.
  • the originating entity is an AE entity or a CSE entity.
  • the embodiment of the present invention further provides another initiating entity.
  • the initiating entity mainly includes processing.
  • the device 1401, the memory 1402 and the transceiver 1403 are configured to receive and transmit data under the control of the processor 1401, the preset program is saved in the memory 1402, and the processor 1401 is configured to read the program stored in the memory according to the program.
  • the program performs the following process:
  • the access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is issued as a virtual resource under the access token root resource, and the access token resource is an ordinary resource under the access token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates an entity that allows access to the access token root resource and the virtual resource under the access token root resource. .
  • the access token resource has a common attribute of the common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, and the expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate the generation.
  • the entity that accesses the token, the holder attribute is used to indicate the entity that requested and obtained the access token, and the token attribute is used to store the access token.
  • the processor 1401 after receiving the address information of the access token resource created by the authorized entity under the access token root resource by the transceiver 1403, the processor 1401 obtains the access token according to the address information.
  • the access token further carries the authentication information, where the authentication information includes an entity identifier that generates an access token, an entity identifier that requests and holds the access token, and an expiration time;
  • the authorization information of the access token includes the service role of the originating entity and/or the access control policy.
  • the processor 1401 instructs the transceiver 1403 to send a resource access request, where the resource access request carries an access token.
  • the originating entity is an AE entity or a CSE entity.
  • the bus architecture may include any number of interconnected buses and bridges, specifically linked by one or more processors represented by the processor and various circuits of memory represented by the memory.
  • the bus architecture can also link various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be further described herein.
  • the bus interface provides an interface.
  • the transceiver can be a plurality of components, including a transmitter and a transceiver, providing means for communicating with various other devices on a transmission medium.
  • the processor is responsible for managing the bus architecture and the usual processing, and the memory can store the data that the processor uses when performing operations.
  • the resource type is defined as virtual under the access token root resource.
  • the access token of the resource issues the resource, and the access token resource whose resource type is a common resource is defined under the access token root resource, and the access token resource creation operation that defines the resource for the access token is triggered to trigger an access token issuance process. Therefore, the access token resource creation request of the originating entity to the access token issuing resource under the access token root resource is received, the access token issuance process is triggered, and the initiating entity is generated according to the access token authorization policy and the permission description information. The token is accessed and an access token resource is created, and the mechanism for authorization by the access token is implemented in the oneM2M system.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in a block or blocks of a flow or a flow and/or a block diagram of a flowchart Step.

Landscapes

  • Engineering & Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé d'émission d'un jeton d'accès, et un dispositif associé, qui sont utilisés pour fournir un mécanisme d'autorisation spécifique dans un système M2M. Le procédé comprend les étapes consistant à : recevoir une demande de création de ressource de jeton d'accès, transmise par une entité initiatrice et concernant une ressource d'émission de jeton d'accès contrôlée par une ressource racine de jeton d'accès, la demande de création de ressource de jeton d'accès contenant une identité de l'entité initiatrice et des informations de description d'autorité du jeton d'accès demandé ; selon une politique d'autorisation de jeton d'accès et les informations de description d'autorité, générer un jeton d'accès pour l'entité initiatrice, le jeton d'accès contenant au moins des informations d'autorisation, et créer la ressource de jeton d'accès du jeton d'accès généré contrôlée par la ressource racine de jeton d'accès ; et transmettre le jeton d'accès ou des informations d'adresse de la ressource de jeton d'accès à l'entité initiatrice. La ressource racine de jeton d'accès est une ressource commune contrôlée par une ressource racine CSE, la ressource d'émission de jeton d'accès est une ressource virtuelle contrôlée par la ressource racine de jeton d'accès, et la ressource de jeton d'accès est une ressource commune contrôlée par la ressource racine de jeton d'accès.
PCT/CN2016/087973 2015-07-16 2016-06-30 Procédé d'émission de jeton d'accès, et dispositif associé WO2017008640A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510419740.3A CN106358246B (zh) 2015-07-16 2015-07-16 一种访问令牌颁发方法及相关设备
CN201510419740.3 2015-07-16

Publications (1)

Publication Number Publication Date
WO2017008640A1 true WO2017008640A1 (fr) 2017-01-19

Family

ID=57757803

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/087973 WO2017008640A1 (fr) 2015-07-16 2016-06-30 Procédé d'émission de jeton d'accès, et dispositif associé

Country Status (2)

Country Link
CN (1) CN106358246B (fr)
WO (1) WO2017008640A1 (fr)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108667791B (zh) * 2017-12-18 2021-01-01 中国石油天然气股份有限公司 身份验证方法
CN110197075B (zh) * 2018-04-11 2023-03-17 腾讯科技(深圳)有限公司 资源访问方法、装置、计算设备以及存储介质
CN110858833B (zh) * 2018-08-22 2022-09-30 京东方科技集团股份有限公司 访问控制策略配置方法、装置和系统以及存储介质
CN109902499A (zh) * 2019-03-13 2019-06-18 广州市网星信息技术有限公司 一种资源授权和访问方法、装置、系统、设备和存储介质
WO2024145948A1 (fr) * 2023-01-06 2024-07-11 北京小米移动软件有限公司 Procédés et appareils d'autorisation, dispositif de communication et support de stockage

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546648A (zh) * 2012-01-18 2012-07-04 Ut斯达康通讯有限公司 一种资源访问授权的方法
CN103188229A (zh) * 2011-12-30 2013-07-03 上海贝尔股份有限公司 用于安全内容访问的方法和设备
EP2890073A1 (fr) * 2013-12-31 2015-07-01 Gemalto SA Système et procédé pour sécuriser des communications machine-machine

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104093118A (zh) * 2014-03-05 2014-10-08 中兴通讯股份有限公司 一种资源通告的方法、机器对机器节点和系统

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103188229A (zh) * 2011-12-30 2013-07-03 上海贝尔股份有限公司 用于安全内容访问的方法和设备
CN102546648A (zh) * 2012-01-18 2012-07-04 Ut斯达康通讯有限公司 一种资源访问授权的方法
EP2890073A1 (fr) * 2013-12-31 2015-07-01 Gemalto SA Système et procédé pour sécuriser des communications machine-machine

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Functional Architecture, TS-001-V1.6.1", ONEM2M TECHNICAL SPECIFICATION, 30 January 2015 (2015-01-30), XP055344950 *

Also Published As

Publication number Publication date
CN106358246B (zh) 2020-01-24
CN106358246A (zh) 2017-01-25

Similar Documents

Publication Publication Date Title
CN109144961B (zh) 授权文件共享方法及装置
US11405395B2 (en) Accessing an internet of things device using blockchain metadata
CN110535833B (zh) 一种基于区块链的数据共享控制方法
US8843415B2 (en) Secure software service systems and methods
WO2018076761A1 (fr) Procédé et système de contrôle d'autorisation de transactions basé sur une chaîne de blocs, dispositif électronique, et support de stockage
EP2915279B1 (fr) Procédé et système pour échange protégé de données
US11757639B2 (en) Method, apparatus, and computer-readable medium for secured data transfer over a decentrlaized computer network
WO2017008640A1 (fr) Procédé d'émission de jeton d'accès, et dispositif associé
CN108768933B (zh) 一种区块链平台上自主可监管数字身份认证系统
CN116490868A (zh) 用于可信执行环境中的安全快速机器学习推理的系统和方法
TW200828944A (en) Simplified management of authentication credientials for unattended applications
US11595398B1 (en) Access control for named domain networking
CN111010430B (zh) 一种基于双链结构的云计算安全数据共享方法
JP5992535B2 (ja) 無線idプロビジョニングを実行するための装置及び方法
CN110619222A (zh) 基于区块链的授权处理方法、装置、系统及介质
US20230421543A1 (en) Method, apparatus, and computer-readable medium for secured data transfer over a decentrlaized computer network
EP4169208A1 (fr) Système et procédé d'authentification
WO2012120313A1 (fr) Système et procédé cryptographiques
CN117457133A (zh) 支持动态访问的去中心化电子病历共享方法及系统
US10015143B1 (en) Methods for securing one or more license entitlement grants and devices thereof
CN114598463A (zh) 一种数据认证系统
US20220318356A1 (en) User registration method, user login method and corresponding device
Gao et al. Blockchain-enabled supervised secure data sharing and delegation scheme in Web3. 0
CN114258006B (zh) 获取凭据的方法、装置及系统
Guo¹ et al. Check for updates Using Blockchain to Control Access to Cloud Data

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16823787

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16823787

Country of ref document: EP

Kind code of ref document: A1