WO2018227693A1 - Method and system for acquiring usage permissions of internet of things-based equipment - Google Patents

Method and system for acquiring usage permissions of internet of things-based equipment Download PDF

Info

Publication number
WO2018227693A1
WO2018227693A1 PCT/CN2017/093335 CN2017093335W WO2018227693A1 WO 2018227693 A1 WO2018227693 A1 WO 2018227693A1 CN 2017093335 W CN2017093335 W CN 2017093335W WO 2018227693 A1 WO2018227693 A1 WO 2018227693A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
delegation
request
information
internet
Prior art date
Application number
PCT/CN2017/093335
Other languages
French (fr)
Chinese (zh)
Inventor
杜光东
Original Assignee
深圳市盛路物联通讯技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市盛路物联通讯技术有限公司 filed Critical 深圳市盛路物联通讯技术有限公司
Publication of WO2018227693A1 publication Critical patent/WO2018227693A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Definitions

  • the embodiments of the present invention belong to the field of information security of the Internet of Things, and particularly relate to a method and system for acquiring device usage rights of the Internet of Things.
  • the Internet of Things is connected to the Internet. It is predicted to be another technology and economic wave in the global information industry after the Internet. It is valued by governments, enterprises andTECH. The United States, the European Union, Japan, etc. even Incorporate national and regional informationization strategies. At present, IoT applications face many problems in the development process. For example, in the Internet of Things, for a city's various facilities and public services, each user in the city can be either a provider or a user, that is, users can use their own personal facilities or other things through the Internet of Things.
  • Embodiments of the present invention provide a method and system for acquiring device usage rights based on the Internet of Things, which are intended to solve the problem that the transfer of various facilities in the prior art Internet of things cannot guarantee the security of the transferred information. The issue of protecting the owner's private information.
  • a method for acquiring a device usage right based on an Internet of Things includes:
  • a second aspect of the embodiments of the present invention provides a device usage right acquisition system based on the Internet of Things, where the device rights acquisition system based on the Internet of Things includes:
  • a proxy credential obtaining unit configured to receive a user's request for the use right of the device, obtain the user information according to the request of the user for the use right of the device, and receive the proxy credential sent by the main object;
  • a delegation certificate verification unit configured to decrypt the delegation certificate, and verify validity of the delegation certificate
  • a condition judging unit configured to determine, according to the validity of the entrusted voucher, whether the request of the user for the use right of the device is consistent with the condition for obtaining the use right of the device;
  • an authorization credential generating unit configured to generate an authorization credential after the request of the user for the usage right of the device is consistent with the condition for obtaining the use right of the device;
  • an authorization credential encryption unit configured to encrypt the authorization credential, and send the encrypted authorization credential to the user, so that the user verifies the authorization credential through the device.
  • a third aspect of the embodiments of the present invention provides an Internet of Things-based device usage right acquisition system, including a memory, a processor, and a computer program stored in the memory and operable on the processor, The processor executes the computer program to implement the steps of the Internet of Things-based device usage right acquisition method according to any one of the Internet of Things-based device usage rights acquisition methods.
  • a fourth aspect of the embodiments of the present invention provides a computer readable storage medium, where the computer readable storage medium stores a computer program, and the computer program is executed by a processor to implement an apparatus based on the Internet of Things.
  • the agent receives the request for the usage right of the device sent by the user, and then obtains the delegation certificate according to the request of the user, and decrypts the obtained delegation certificate to verify the validity thereof. After determining that the received delegation certificate is a valid delegation certificate, the user is judged whether the current user meets the condition for obtaining the usage authority of the requested device. Authorization credentials are generated when the user meets the conditions for obtaining the usage rights of the requested device, and the authorized user obtains the usage rights.
  • the user obtains the usage right of the device by requesting the agent, and the agent obtains the information such as the delegation certificate from the owner according to the request of the user, thereby avoiding the direct information exchange between the user and the owner, and protecting the individual of the owner. Information security, and can satisfy the user's permission to obtain the device.
  • FIG. 1 is a schematic structural diagram of distribution of various devices in an Internet of Things system in the prior art
  • FIG. 2 is a flow chart of a method for acquiring usage rights of a device based on an Internet of Things according to a first embodiment of the present invention
  • FIG. 3 is a specific flowchart of step S22 in FIG. 2 provided by the first embodiment
  • FIG. 4 is a specific flowchart of step S23 in FIG. 2 provided by the first embodiment
  • FIG. 5 is a flow chart of a method for acquiring usage rights of a device based on the Internet of Things according to a second embodiment of the present invention
  • FIG. 6 is a flow chart of a method for acquiring usage rights of a device based on the Internet of Things according to a third embodiment of the present invention.
  • FIG. 7 is a structural diagram of a device usage right acquisition system based on the Internet of Things according to a fourth embodiment of the present invention.
  • FIG. 8 is a structural diagram of a device usage right acquisition system based on an Internet of Things according to a fifth embodiment of the present invention.
  • FIG. 9 is a structural diagram of a device usage right acquisition system based on the Internet of Things according to a sixth embodiment of the present invention.
  • Embodiments of the invention The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
  • FIG. 1 is a schematic structural diagram of distribution of various devices in an IoT system in the prior art.
  • the Internet of Things as a management platform can be applied in intelligent transportation, construction, medical, environmental protection, public Security, mobile POS, supply chain, agriculture, forestry, water, finance and many other aspects.
  • the Internet of Things can receive the security information transmitted by all parties through the management platform, and connect various security devices to the Internet of Things management system through the Internet.
  • the networked management system schedules nearby related devices to handle security risks.
  • each user in the city can use the equipment owned by the user as a public resource for the purpose of saving resources and maximizing the use of various devices. In this case, you only need to connect each user's various devices through the network. After other users need to use another user's device, they can use it with the authorization of the owner. This process is both a provider of public resources and a beneficiary of public resources for each user.
  • the information interaction with the owner is inevitable to obtain the use permission, but the prior art has difficulty in ensuring the security of the personal information of the two parties during the interaction of the information, and For an owner, there are countless users who can request the permission of a certain device.
  • the personal information of the owner may be known by multiple users, which is completely unfavorable for the protection of the owner's personal information. .
  • FIG. 2 is a flow chart showing a method and system for obtaining usage rights of a device based on the Internet of Things according to the first embodiment of the present invention, which is described in detail as follows:
  • Step S21 receiving a request for the user to use the device, and acquiring the user information according to the request of the user for the use right of the device, and receiving the proxy certificate sent by the object owner;
  • the agent is first set in the Internet of Things system. After the user needs to obtain the usage right of a certain device, the user can send a request to the agent through the smart terminal, and the agent requests the device according to the user. Requesting the delegate permission from the object owner, the agent receives the request from the agent, calls and checks the usage of the owned device, and filters out the devices that are currently in the idle state.
  • the device in the idle state is in the normal usable state, setting the daytime information and location information of the device for normal use; the number of devices that the object owner can use normally, the current location of the device, a specific
  • the information about the external use of the device, the location information that can be used externally, the scope of the authority of the agent, and the conditions that the user must have are integrated into a proxy certificate and sent to the agent mountain.
  • a city citizen can use his own umbrella, bicycle, private car or even idle house to access the Internet of Things system through Radio Frequency Identification (RFID), if a user sends a message to the agent.
  • RFID Radio Frequency Identification
  • the agent requests the entrusted voucher from the agent, and the owner uses the external use of the currently idle house.
  • the method is used (if the user can only use it for his own residence, it cannot be used for production or manufacturing.
  • the information may be generated and sent to the agent after the information is integrated.
  • the agent master encrypts the delegation certificate before sending the delegation certificate to the agent, and sends the encrypted delegation certificate to the agent, and the agent performs the encrypted delegation certificate received. Decrypted to obtain the delegation certificate.
  • the entrusted voucher is encrypted in advance to prevent the entrusted voucher from being tampered with during the transmission process.
  • the object owner integrates various information of the currently available device to form a delegation certificate, and the agent passes various information contained in the delegation certificate.
  • the agent directly authorizes the user, avoiding the direct information exchange between the user and the owner, and effectively protecting the personal information of the owner.
  • the delegation certificate sent to the agent at the object owner includes the permission of the device and stipulates the authority of the agent. Therefore, the existing device can be fully utilized and the owner's will is fully respected, and the owner and the user are reached. A win-win effect.
  • step S22 decrypting the delegation certificate, and verifying the validity of the delegation certificate
  • the proxy decrypts the trusted credential, obtains the content of the entrusted credential, and entrusts the information generated by the credential to verify the validity of the trusted credential.
  • the decrypting the delegation certificate and verifying the validity of the delegation document specifically includes: [0042] step S221, decrypting the delegation voucher, and obtaining the generation time and the entrusted content of the entrusted voucher;
  • Step S222 determining whether the generation period of the delegation certificate is within a validity period
  • step S223 when the generation period of the delegation document is within the validity period, calling the pre-stored delegation information, matching the delegation content and the delegation information, and finally determining the validity of the delegation document according to the matching result.
  • the proxy end since the proxy credential received by the proxy end is a proxy credential encrypted by the agent terminal through the public key of the proxy end, the proxy end must decrypt the received proxy credential through its own private key. Get the content.
  • the owner encrypts the entrusted voucher and sends it to the agent, which avoids the danger of the credential being falsified during the sending process, and protects the security of the owner and its devices.
  • the proxy After the agent decrypts the trusted certificate, the proxy generates the information and the content of the delegation.
  • the commissioned content includes the current location of the device, the time of the external release, the location of the external release, the condition that the user requesting the permission must satisfy, the proxy authority of the agent, and the like.
  • the external release includes a device that can be used by a person other than the owner.
  • the external release time of a certain device can be set to 8:00 am on a weekly business day. -12:00, setting the device to the outside world not only can meet the owner's own use needs, but also can be used by others after the owner does not need to use the device to fully utilize the function of the device;
  • the location includes the location where the user other than the owner can use the device.
  • the positioning system can be installed on the device in advance. The device determines its location by its own positioning system. Therefore, the device must be located in the urban area where the owner is located. Or use within a certain range of the owner's urban area.
  • the device location system finds that the device is outside the preset external release location, it immediately sends an alert to the agent to remind the agent to pay attention to the device to ensure the security of the device. Safeguarding the asset security of the owner; the conditions that the user requesting the usage right must satisfy include the credit rating of the user and the use of the user's request
  • the scope of the authority, etc.; the agent authority of the agent refers to the processing authority of the agent that can be given to the agent of the agent, and the agent can specify the scope of the agent's authority in the delegation certificate, and can also specify the agent. Agent authority can be exercised autonomously according to the actual situation.
  • the entrusted voucher may further include: personal information of the owner, parameters of the device owned by the owner, and personal information of the owner includes: a unique confirmation voucher of the owner identity, a contact mode of the owner, etc.
  • the parameters of the equipment owned by the owner include: the number of devices, the model of the device, and the brief instructions for using the device Wait.
  • the agent compares the generation time of the delegation voucher obtained after decrypting the delegation voucher with the pre-set validity period to initially determine the validity of the delegation voucher.
  • the validity period may be within ten minutes from the receipt of the user's permission request, or within a half-time, or within one day; the specific setting of the validity period varies according to the device requested by the user, and may be set according to actual conditions. No, there are no restrictions here. Verifying that the received proxy certificate is within the validity period can prevent the owner from receiving the proxy proxy request request, and can not handle it, but after the agent has processed it, the user has made a request. For a long time, the user no longer needs the right to use the device, and the agent gives the right to use it. That is to avoid invalid authorization of the agent to the user. If the generation of the entrusted voucher is within the validity period, the entrusted voucher is initially determined to be a valid entrusted voucher.
  • the delegation information is an object authenticated by an authoritative certification authority
  • the agent agreement between the master and the agent includes the personal information of the owner of the owner, the agent age of the agent agent of the agent, and the personal information of the person in charge of the agent.
  • the final determination is that the delegation certificate is a valid delegation certificate; and the personal information of the owner in the delegation document is The personal information of the owner in the entrusted information is matched to determine that the owner's identity is truly unique, and the peer also determines that the agent has legal proxy authority to the owner.
  • the agent decrypts the delegation voucher to obtain the generation time of the delegation voucher, and initially determines the validity of the entrusted voucher through the diary of the entrusted voucher, thereby avoiding the invalidity of the agent to the user. Authorization. Then, the personal information of the owner in the decrypted proxy document is matched with the owner personal information stored in advance to determine the identity of the owner and the legitimacy of the agent.
  • Step S23 After the trusted credential is valid, determine whether the request of the user for the use right of the device is consistent with the condition for obtaining the use right of the device;
  • the personal information of the user who sent the request is invoked, and the user who requests the use permission of the specific device in the entrusted credential must satisfy certain The conditions, therefore, here will be the user's personal information and the use of the vouchers
  • the conditions that the user must have are matched, and the user is given permission to use the user after the condition is met.
  • the method for determining whether the request for the user to use the device is consistent with the permission to use the device is as follows:
  • Step S231 After the trusted credential is valid, obtaining ID information carried by the request for the user to use the device;
  • Step S232 Acquire a user credit level corresponding to the ID information.
  • Step S233 after the user credit level meets the requirement, determining that the user's request for the device's use right meets the condition for obtaining the use right of the device, otherwise, determining the user's use right for the device.
  • the request does not meet the criteria for obtaining the usage rights of the device.
  • the ID information of the user is first verified to determine the legitimacy of the user, and the credit level is verified after the user is a legitimate user, and the user is granted the permission only if the user meets a certain credit rating.
  • a high degree of user credit indicates a good reputation and helps protect the owner's equipment.
  • Step S24 Generate an authorization credential after the user's request for the usage right of the device meets the condition for obtaining the use permission of the device.
  • the user is determined to determine whether the user meets the authorized use condition according to the user's request for the right to use the device, and the authorization credential is generated, and the authorization credential is generated only for the user who meets the authorization condition, thereby avoiding unnecessary authorization credential generation.
  • some users send a request for permission to use a public bicycle device. Although the request itself is legal, but the user's condition is determined, and the user is found to be incapable of complying with the authorization requirement due to his own conditions, etc., the authorization certificate is not generated in this case.
  • Step S25 Encrypt the authorization credential, and send the encrypted authorization credential to the user, so that the user verifies the authorization credential through the device.
  • the agent encrypts the generated authorization credential, and sends the encrypted authorization credential to the user. . It is guaranteed that the authorization credentials accepted by the user will not be modified.
  • the user verifies the decrypted authorization certificate through the device, and the device can be used after the verification is passed.
  • the proxy end receives the encrypted proxy credential sent by the main object according to the user's request for the use right of the device; after decrypting the trusted credential, verifying the validity, and determining Whether the user has obtained the use right of the requested device, and after determining that the user has obtained the use right of the device, generates an authorization credential, encrypts the authorization credential, and sends the authorization credential to the user.
  • the agent delegates the agent to manage the device that it owns and uses as the public resource.
  • the agent determines that the user who sent the permission request has the legal right to use the requested device, directly sends the authorization certificate to the The user does not need to involve the identity information of the owner, and avoids the direct information transmission between the user and the owner, thereby protecting the private information of the owner.
  • FIG. 5 is a flowchart of a method for acquiring a device usage right of an Internet of Things according to a second embodiment of the present invention. As shown in FIG.
  • Step S51 receiving authentication information sent by the server, the owner information, and the device in a normal state
  • the server first reviews the agent, and when the agent meets the preset condition, it determines that it is a legitimate agent; the legal agent only enjoys the agent authority and sends the authentication information. To the legal agent.
  • the server counts various devices in the IoT system in a normal use state and the owner information of the device in a certain range, and integrates the information and sends the information to the agent with the agent authority.
  • the authentication information includes: a credit evaluation of the agent generated by the server according to the investigation result of the agent, an agent time limit of the agent, and the like.
  • the agent may first check whether the agent has the authentication information, or select the agent according to the credit evaluation in the agent's authentication information.
  • Step S52 Receive a request for the user to use the device, obtain the user information according to the user's request for the use right of the device, and receive the delegation certificate sent by the object owner;
  • step S53 decrypting the delegation certificate, and verifying the validity of the delegation certificate
  • Step S54 after the delegation certificate is valid, determining that the user's request for the device usage right is Whether it meets the conditions for obtaining the usage rights of the device;
  • Step S55 Generate an authorization credential after the user's request for the usage right of the device meets the condition for obtaining the usage right of the device.
  • Step S56 Encrypt the authorization credential, and send the encrypted authorization credential to the user, so that the user verifies the authorization credential through the device.
  • Step S52 to step S56 in the embodiment respectively correspond to step S21 to step S25 in the first embodiment, and details are not described herein again.
  • the agent when receiving a request for the use right of the device sent by the user, first receiving the authentication information sent by the server, and the information of the device that the owner information can be utilized; The obligation to keep personal information confidential, therefore, the agent is first authenticated in this step to determine its legitimacy, which can ensure the security of the owner device and ensure that the personal information of the owner and the user are not randomly leaked.
  • FIG. 6 is a flowchart of a method for acquiring usage rights of a device based on the Internet of Things according to a third embodiment of the present invention. as shown in FIG.
  • Step S61 receiving authentication information sent by the server, the owner information, and the device in a normal state
  • Step S62 Receiving a request for the user to use the device, and acquiring the user information according to the request of the user for the use right of the device, and receiving the proxy certificate sent by the object owner;
  • step S63 decrypting the delegation certificate, and verifying the validity of the delegation certificate
  • Step S64 After the trusted credential is valid, determine whether the request of the user for the use right of the device is consistent with the condition for obtaining the use right of the device;
  • Step S65 Generate an authorization credential after the user's request for the usage right of the device meets the condition for obtaining the usage right of the device.
  • Step S66 Encrypt the authorization credential, and send the encrypted authorization credential to the user, so that the user verifies the authorization credential through the device.
  • Step S61 to step S66 in the embodiment respectively correspond to step S51 to step S56 in the second embodiment, and details are not described herein again.
  • Step S67 Receive a verification result of the authorization credential by the device, and send the verification result to the object owner.
  • the user decrypts the encrypted authorization credential with its own private key to obtain the use permission, and the user sends the information contained in the authorization credential to the device.
  • the device verifies the received information, and the verification authority passes the user permission, and sends the verification result to the agent for recording and archiving, and sends the verification result to the owner to make the object
  • the master knows how his device is being used.
  • the device verifies the information contained in the authorization credential, and if the verification succeeds, the user is used to release the use authority, and the verification result is sent to the agent, the proxy. After the end record, the verification result is sent to the owner. In this process, the direct communication between the user and the owner is avoided, and the personal information of the owner is protected from being leaked and the personal security of the user is ensured.
  • FIG. 7 is a structural diagram of an Internet of Things-based device usage right acquisition system according to a fourth embodiment of the present invention, which is based on the Internet of Things.
  • the device usage right acquisition system can be applied to various mobile terminals. For the convenience of description, only parts related to the embodiment of the present invention are shown.
  • the Internet of Things-based device usage right acquisition system includes: a delegation certificate obtaining unit 71, a delegation certificate verification unit 72, a condition determination unit 73, an authorization voucher generation unit 74, and an authorization voucher encryption unit 75. , among them:
  • the proxy credential obtaining unit 71 is configured to receive a request for the user to use the device, and obtain the user information according to the request of the user for the use right of the device, and receive the proxy credential sent by the main object;
  • a delegation voucher verification unit 72 configured to decrypt the delegation voucher, and verify the validity of the delegation voucher
  • the delegation certificate verification unit specifically includes:
  • a decryption module configured to decrypt the delegation certificate, and obtain a generation time and a delegation content of the delegation certificate
  • a preliminary determining module configured to determine whether the generation period of the delegation certificate is within a validity period
  • a matching module configured to: when the generation of the delegation certificate is within a valid period, calling the pre-stored The information is matched with the delegation content and the delegation information, and the validity of the delegation certificate is finally determined according to the matching result.
  • the condition judging unit 73 is configured to determine, when the entrusted credential is valid, whether the request of the user for using the device is consistent with the condition for obtaining the use right of the device;
  • condition determining unit 73 specifically includes:
  • an ID obtaining module configured to acquire ID information carried by the request for the user to use the device when the trusted credential is valid
  • a credit rating obtaining module configured to acquire a user credit rating corresponding to the ID information
  • a condition judging module configured to determine that the user's request for the use right of the device meets the condition for obtaining the use right of the device after the user credit level meets the requirement, otherwise, determining that the user is to the device The request to use the permission does not meet the conditions for obtaining the usage rights of the device.
  • an authorization credential generating unit 74 configured to generate an authorization credential after the request of the user for the use right of the device is consistent with the condition for obtaining the use right of the device;
  • the authorization credential encryption unit 75 is configured to encrypt the authorization credential and send the encrypted authorization credential to the user, so that the user verifies the authorization credential through the device.
  • the proxy end receives the encrypted proxy credential sent by the main object according to the user's request for the use right of the device; after decrypting the trusted credential, verifying the validity, and determining Whether the user has obtained the use right of the requested device, and after determining that the user has obtained the use right of the device, generates an authorization credential, encrypts the authorization credential, and sends the authorization credential to the user.
  • the agent delegates the agent to manage the device that it owns and uses as the public resource.
  • the agent determines that the user who sent the permission request has the legal right to use the requested device, directly sends the authorization certificate to the The user does not need to involve the identity information of the owner, and avoids the direct information transmission between the user and the owner, thereby protecting the private information of the owner.
  • Embodiment 5 is a diagrammatic representation of Embodiment 5:
  • the device usage rights acquisition system based on the Internet of Things includes:
  • the information receiving unit 81 is configured to receive the authentication information, the owner information, and the device information in a normal state sent by the server.
  • the server first checks and determines the agent, and when the agent meets the preset condition, it determines that it is a legitimate agent; the legal agent only enjoys the agent right, and sends the authentication information to Legal agent.
  • the server counts various devices in the IoT system in a normal use state within a certain range, and the owner information of the device, and integrates the information and sends the information to the agent with the agent authority.
  • the authentication information includes: a credit evaluation of the agent generated by the server according to the investigation result of the agent, an agent time limit of the agent, and the like.
  • the agent may first check whether the agent has the authentication information, or select the agent according to the credit evaluation in the agent's authentication information.
  • the proxy credential obtaining unit 82 is configured to receive a request for the user to use the device, and obtain the user information according to the request of the user for the use right of the device, and receive the proxy credential sent by the main object;
  • a delegation credential verification unit 83 configured to decrypt the delegation voucher, and verify the validity of the delegation voucher
  • the condition determining unit 84 is configured to determine, when the trusted credential is valid, whether the request of the user for using the device is consistent with the condition for obtaining the use right of the device;
  • an authorization credential generating unit 85 configured to generate an authorization credential after the request of the user for the use right of the device is consistent with the condition for obtaining the use right of the device;
  • the authorization credential encryption unit 86 is configured to encrypt the authorization credential, and send the encrypted authorization credential to the user, so that the user verifies the authorization credential through the device.
  • the condition judging unit 73, the authorization credential generating unit 74, and the authorization credential encrypting unit 75 respectively correspond to each other, and details are not described herein again.
  • the agent when receiving a request for the use right of the device sent by the user, first receiving the authentication information sent by the server, and the information of the device that the owner information can be utilized; The obligation to keep personal information confidential, therefore, the agent is first authenticated in this step to determine its legitimacy, which can ensure the security of the owner device and ensure that the personal information of the owner and the user are not randomly leaked.
  • FIG. 9 is a diagram showing a result of an Internet of Things-based device usage right acquisition system according to a sixth embodiment of the present invention. As shown in FIG. 9, the Internet of Things-based device usage right acquisition system includes:
  • the information receiving unit 91 is configured to receive the authentication information, the owner information, and the device information in a normal state sent by the server.
  • the proxy credential obtaining unit 92 is configured to receive a request for the user to use the device, and obtain the user information according to the user's request for the use right of the device, and receive the proxy credential sent by the main object;
  • a delegation voucher verification unit 93 configured to decrypt the delegation voucher, and verify the validity of the delegation voucher
  • the condition determining unit 94 is configured to determine, when the trusted credential is valid, whether the request of the user for using the device is consistent with the condition for obtaining the use right of the device;
  • an authorization credential generating unit 95 configured to generate an authorization credential after the request for the user's use right of the device is consistent with the condition for obtaining the use right of the device;
  • the authorization credential encryption unit 96 is configured to encrypt the authorization credential and send the encrypted authorization credential to the user, so that the user verifies the authorization credential through the device.
  • the delegation voucher obtaining unit 82, the delegation voucher verification unit 83, the condition judging unit 84, the authorization voucher generation unit 85, and the authorization voucher encryption unit 86 respectively correspond to each other, and will not be described again.
  • the verification result receiving unit 97 is configured to receive a verification result of the authorization credential by the device, and send the verification result to the object owner.
  • the device verifies the information contained in the authorization credential, and if the verification succeeds, the user is used to release the use permission, and the verification result is sent to the agent, the proxy. After the end record, the verification result is sent to the owner. In this process, the direct communication between the user and the owner is avoided, and the personal information of the owner is protected from being leaked and the personal security of the user is ensured.
  • the size of the sequence numbers of the foregoing processes does not mean the order of execution sequence, and the execution order of each process should be determined by its function and internal logic, and should not be taken to the embodiment of the present invention.
  • the implementation process constitutes any limitation.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division, and the actual implementation may have another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed.
  • the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium.
  • the technical solution of the present invention which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
  • the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: u disk
  • RAM random access memory
  • disk disk or optical disk, and other media that can store program code.

Abstract

Provided in the present embodiment are a method and system for acquiring usage permissions of an Internet of Things equipment. The method comprises: according to a request by a user for usage permissions of an equipment, acquiring user information and receiving a delegation certificate that is sent by an owner terminal; decrypting and validating the validity of the delegation certificate, and determining whether the request by the user for the usage permissions of the equipment meets a condition for acquiring the usage permissions of the equipment; when the condition is met, generating an authorization certificate; encrypting the authorization certificate and then sending the encrypted authorization certificate to the user such that the user validates the authorization certificate by means of the equipment. The user acquires usage permissions of an equipment by means of requesting a proxy terminal, and the proxy terminal acquires information, such as a delegation certificate and so on, from the owner terminal according to the request by the user, thus avoiding direct information exchange between the user and an owner, and thus the safety of personal information of the owner may be protected, while a permissions acquisition request of the user for the equipment may be satisfied.

Description

发明名称:一种基于物联网的设备使用权限获取方法及系统 技术领域  Title of Invention: Method and System for Obtaining Device Usage Rights Based on Internet of Things
[0001] 本发明实施例属于物联网信息安全领域, 尤其涉及一种物联网的设备使用权限 获取方法及系统。  [0001] The embodiments of the present invention belong to the field of information security of the Internet of Things, and particularly relate to a method and system for acquiring device usage rights of the Internet of Things.
背景技术  Background technique
[0002] 物联网即物物相连的互联网, 它被预言为继互联网之后全球信息产业的又一次 科技与经济浪潮, 受到各国政府、 企业和学术界的重视, 美国、 欧盟、 日本等 甚至将其纳入国家和区域信息化战略。 目前物联网应用在发展过程中面临很多 问题。 例如, 在物联网中对于一个城市的各种设施和公共服务而言, 城市中的 每个用户既可以是提供者也可以是使用者, 即, 用户可以通过物联网将自己的 个人设施或其他资源共享, 如汽车、 停车位、 房屋等, 从而帮助政府更有效合 理地管理和利用城市设施及个人资源, 改善交通、 医疗、 教育、 旅游等各领域 的管理效率和服务质量, 促进城市的和谐发展。 在如此幵放分享的城市物联网 环境中, 物联网设备有可能被多次分享使用, 因此共享设备的使用权可以从物 主传递到不同的用户 (比如由物主传递到物主的朋友或朋友的朋友等) ; 在各 种设施的使用权转移过程中存在许多信息的传递, 然而, 现有技术还无法保证 这一信息传递过程的安全性, 也无法对物主的身份等隐私信息进行有效保护。 技术问题  [0002] The Internet of Things (IoT) is connected to the Internet. It is predicted to be another technology and economic wave in the global information industry after the Internet. It is valued by governments, enterprises and academia. The United States, the European Union, Japan, etc. even Incorporate national and regional informationization strategies. At present, IoT applications face many problems in the development process. For example, in the Internet of Things, for a city's various facilities and public services, each user in the city can be either a provider or a user, that is, users can use their own personal facilities or other things through the Internet of Things. Resource sharing, such as cars, parking spaces, houses, etc., to help the government manage and utilize urban facilities and personal resources more effectively and rationally, improve management efficiency and service quality in various fields such as transportation, medical care, education, tourism, etc., and promote urban harmony. development of. In such a shared urban IoT environment, IoT devices may be shared and used multiple times, so the right to use shared devices can be passed from the owner to different users (such as friends passed by the owner to the owner or Friends of friends, etc.) There is a lot of information transfer in the transfer of usage rights of various facilities. However, the prior art cannot guarantee the security of this information transfer process, nor can it carry out the privacy information such as the identity of the owner. Effective protection. technical problem
[0003] 本发明实施例提供了一种基于物联网的设备使用权限获取方法及系统, 旨在解 决现有技术物联网中各种设施的使用权转移吋无法保证转移的信息的安全性及 无法保护物主隐私信息的问题。  [0003] Embodiments of the present invention provide a method and system for acquiring device usage rights based on the Internet of Things, which are intended to solve the problem that the transfer of various facilities in the prior art Internet of things cannot guarantee the security of the transferred information. The issue of protecting the owner's private information.
问题的解决方案  Problem solution
技术解决方案  Technical solution
[0004] 本发明实施例第一方面, 提供了一种基于物联网的设备使用权限获取方法, 所 述基于物联网的设备权限获取方法包括:  [0004] In a first aspect of the embodiments of the present invention, a method for acquiring a device usage right based on an Internet of Things is provided, where the method for acquiring device rights based on the Internet of Things includes:
[0005] 接收用户对设备的使用权限的请求, 根据所述用户对设备的使用权限的请求获 取用户信息并接收物主端发送的委托凭证; [0005] receiving a request for the user to use the device, according to the user's request for the device's use permission Taking user information and receiving the delegation certificate sent by the owner;
[0006] 解密所述委托凭证, 并验证所述委托凭证的有效性;  Decrypting the delegation voucher and verifying validity of the delegation voucher;
[0007] 在所述委托凭证有效吋, 判断所述用户对设备的使用权限的请求是否符合获取 所述设备的使用权限的条件;  [0007] after the delegation certificate is valid, determining whether the request of the user for the use right of the device is consistent with the condition for obtaining the use right of the device;
[0008] 在所述用户对设备的使用权限的请求符合获取所述设备的使用权限的条件吋, 生成授权凭证; [0008] generating a authorization credential after the user's request for the use right of the device is consistent with the condition for obtaining the use right of the device;
[0009] 加密所述授权凭证, 并发送加密后的授权凭证到所述用户, 以使所述用户通过 所述设备对所述授权凭证进行验证。  Encrypting the authorization credential and transmitting the encrypted authorization credential to the user, so that the user verifies the authorization credential through the device.
[0010] 本发明实施例的第二方面, 提供一种基于物联网的设备使用权限获取系统, 所 述基于物联网的设备权限获取系统包括: [0010] A second aspect of the embodiments of the present invention provides a device usage right acquisition system based on the Internet of Things, where the device rights acquisition system based on the Internet of Things includes:
[0011] 委托凭证获取单元, 用于接收用户对设备的使用权限的请求, 根据所述用户对 设备的使用权限的请求获取用户信息并接收物主端发送的委托凭证;  [0011] a proxy credential obtaining unit, configured to receive a user's request for the use right of the device, obtain the user information according to the request of the user for the use right of the device, and receive the proxy credential sent by the main object;
[0012] 委托凭证验证单元, 用于解密所述委托凭证, 并验证所述委托凭证的有效性; [0012] a delegation certificate verification unit, configured to decrypt the delegation certificate, and verify validity of the delegation certificate;
[0013] 条件判断单元, 用于在所述委托凭证有效吋, 判断所述用户对设备的使用权限 的请求是否符合获取所述设备的使用权限的条件; [0013] a condition judging unit, configured to determine, according to the validity of the entrusted voucher, whether the request of the user for the use right of the device is consistent with the condition for obtaining the use right of the device;
[0014] 授权凭证生成单元, 用于在所述用户对设备的使用权限的请求符合获取所述设 备的使用权限的条件吋, 生成授权凭证;  [0014] an authorization credential generating unit, configured to generate an authorization credential after the request of the user for the usage right of the device is consistent with the condition for obtaining the use right of the device;
[0015] 授权凭证加密单元, 用于加密所述授权凭证, 并发送加密后的授权凭证到所述 用户, 以使所述用户通过所述设备对所述授权凭证进行验证。  [0015] an authorization credential encryption unit, configured to encrypt the authorization credential, and send the encrypted authorization credential to the user, so that the user verifies the authorization credential through the device.
[0016] 本发明实施例的第三方面, 提供一种基于物联网的设备使用权限获取系统, 包 括存储器、 处理器以及存储在所述存储器中并可在所述处理器上运行的计算机 程序, 所述处理器执行所述计算机程序吋实现如所述基于物联网的设备使用权 限获取方法任一项所述基于物联网的设备使用权限获取方法的步骤。  [0016] A third aspect of the embodiments of the present invention provides an Internet of Things-based device usage right acquisition system, including a memory, a processor, and a computer program stored in the memory and operable on the processor, The processor executes the computer program to implement the steps of the Internet of Things-based device usage right acquisition method according to any one of the Internet of Things-based device usage rights acquisition methods.
[0017] 本发明实施例的第四方面, 提供一种计算机可读存储介质, 所述计算机可读存 储介质存储有计算机程序, 所述计算机程序被处理器执行吋实现如述基于物联 网的设备使用权限获取方法任一项所述基于物联网的设备使用权限获取方法的 步骤。  [0017] A fourth aspect of the embodiments of the present invention provides a computer readable storage medium, where the computer readable storage medium stores a computer program, and the computer program is executed by a processor to implement an apparatus based on the Internet of Things. The step of using the rights acquisition method of any one of the Internet of Things-based device usage rights acquisition methods.
发明的有益效果 有益效果 Advantageous effects of the invention Beneficial effect
[0018] 在本发明实施例中, 由代理端接收用户发送的对设备的使用权限的请求, 然后 根据用户的请求向物主端获取委托凭证, 对获取到的委托凭证解密后验证其有 效性, 在判断出所接收到的委托凭证为有效的委托凭证后, 对用户进行判断, 已确定当前用户是否符合获取所请求设备的使用权限的条件。 在用户符合获取 所请求设备的使用权限的条件吋才生成授权凭证, 授权用户获取使用权限。 这 一过程中, 用户通过请求代理端获取设备的使用权限, 代理端根据用户的请求 向物主端获取委托凭证等信息, 避免了用户与物主的直接信息交换, 既可以保 护物主的个人信息安全, 又能满足用户对设备的权限获取请求。  [0018] In the embodiment of the present invention, the agent receives the request for the usage right of the device sent by the user, and then obtains the delegation certificate according to the request of the user, and decrypts the obtained delegation certificate to verify the validity thereof. After determining that the received delegation certificate is a valid delegation certificate, the user is judged whether the current user meets the condition for obtaining the usage authority of the requested device. Authorization credentials are generated when the user meets the conditions for obtaining the usage rights of the requested device, and the authorized user obtains the usage rights. In this process, the user obtains the usage right of the device by requesting the agent, and the agent obtains the information such as the delegation certificate from the owner according to the request of the user, thereby avoiding the direct information exchange between the user and the owner, and protecting the individual of the owner. Information security, and can satisfy the user's permission to obtain the device.
对附图的简要说明  Brief description of the drawing
附图说明  DRAWINGS
[0019] 图 1是现有技术中物联网系统中各种设备分布的结构示意图;  1 is a schematic structural diagram of distribution of various devices in an Internet of Things system in the prior art;
[0020] 图 2是本发明第一实施例提供的一种基于物联网的设备使用权限获取方法的流 程图; 2 is a flow chart of a method for acquiring usage rights of a device based on an Internet of Things according to a first embodiment of the present invention;
[0021] 图 3是第一实施例提供的图 2中步骤 S22的具体流程图;  [0021] FIG. 3 is a specific flowchart of step S22 in FIG. 2 provided by the first embodiment;
[0022] 图 4是第一实施例提供的图 2中步骤 S23的具体流程图; [0022] FIG. 4 is a specific flowchart of step S23 in FIG. 2 provided by the first embodiment;
[0023] 图 5是本发明第二实施例提供的一种基于物联网的设备使用权限获取方法的流 程图;  5 is a flow chart of a method for acquiring usage rights of a device based on the Internet of Things according to a second embodiment of the present invention;
[0024] 图 6是本发明第三实施例提供的一种基于物联网的设备使用权限获取方法的流 程图;  6 is a flow chart of a method for acquiring usage rights of a device based on the Internet of Things according to a third embodiment of the present invention;
[0025] 图 7是本发明第四实施例提供的一种基于物联网的设备使用权限获取系统的结 构图。  7 is a structural diagram of a device usage right acquisition system based on the Internet of Things according to a fourth embodiment of the present invention.
[0026] 图 8是本发明第五实施例提供的一种基于物联网的设备使用权限获取系统的结 构图;  8 is a structural diagram of a device usage right acquisition system based on an Internet of Things according to a fifth embodiment of the present invention;
[0027] 图 9是本发明第六实施例提供的一种基于物联网的设备使用权限获取系统的结 构图。 本发明的实施方式 [0028] 为了使本发明的目的、 技术方案及优点更加清楚明白, 以下结合附图及实施例 , 对本发明进行进一步详细说明。 应当理解, 此处所描述的具体实施例仅仅用 以解释本发明, 并不用于限定本发明。 9 is a structural diagram of a device usage right acquisition system based on the Internet of Things according to a sixth embodiment of the present invention. Embodiments of the invention The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
[0029] 为了说明本发明所述的技术方案, 下面通过具体实施例来进行说明。  [0029] In order to explain the technical solutions described in the present invention, the following description will be made by way of specific embodiments.
[0030] 实施例 1 Embodiment 1
[0031] 图 1示出了现有技术中物联网系统中各种设备分布的结构示意图, 如图 1中所示 物联网作为一个管理平台可以应用在智能运输、 建筑、 医疗、 环境保护、 公共 安全、 移动 POS、 供应链、 农业、 林业、 水务、 金融等多个方面。 在公共安全方 面物联网可以通过管理平台统一接收各方传递的安全信息, 并将各种安全保障 设备通过互联网接入物联网管理系统中, 当接收到某一方面待处理安全隐患吋 , 由物联网管理系统调度附近相关设备处理安全隐患。  [0031] FIG. 1 is a schematic structural diagram of distribution of various devices in an IoT system in the prior art. As shown in FIG. 1, the Internet of Things as a management platform can be applied in intelligent transportation, construction, medical, environmental protection, public Security, mobile POS, supply chain, agriculture, forestry, water, finance and many other aspects. In terms of public safety, the Internet of Things can receive the security information transmitted by all parties through the management platform, and connect various security devices to the Internet of Things management system through the Internet. When receiving certain security risks to be processed, The networked management system schedules nearby related devices to handle security risks.
[0032] 在应用于城市中各种公共资源吋, 城市中的每个用户都可以将自己拥有的设备 作为公共资源供大家来使用, 以达到节约资源, 最大程度利用各种设备的目的 。 此吋, 只需通过网络将每个用户的各种设备连接起来, 在其他用户需要使用 另一用户的设备吋, 经物主授权即可使用。 这一过程中对每个用户而言既是公 共资源的提供者也是公共资源的受益者。 当用户需要使用某一物主设备吋, 必 然会与物主发生信息的交互, 以获得使用权限, 但现有技术很难保证这一信息 交互过程中, 交互双方个人信息的安全性, 并且, 对于一个物主可以有无数的 用户向其请求某一设备的使用权限, 在于多个用户进行信息交互吋, 物主的个 人信息可能被多个用户获知, 完全不利于对物主个人信息的保护。  [0032] After being applied to various public resources in the city, each user in the city can use the equipment owned by the user as a public resource for the purpose of saving resources and maximizing the use of various devices. In this case, you only need to connect each user's various devices through the network. After other users need to use another user's device, they can use it with the authorization of the owner. This process is both a provider of public resources and a beneficiary of public resources for each user. When the user needs to use a certain master device, the information interaction with the owner is inevitable to obtain the use permission, but the prior art has difficulty in ensuring the security of the personal information of the two parties during the interaction of the information, and For an owner, there are countless users who can request the permission of a certain device. When multiple users interact with each other, the personal information of the owner may be known by multiple users, which is completely unfavorable for the protection of the owner's personal information. .
[0033] 因此, 图 2示出了本发明第一实施例提供的一种基于物联网的设备使用权限获 取方法及系统的流程图, 详述如下:  [0033] FIG. 2 is a flow chart showing a method and system for obtaining usage rights of a device based on the Internet of Things according to the first embodiment of the present invention, which is described in detail as follows:
[0034] 步骤 S21, 接收用户对设备的使用权限的请求, 根据所述用户对设备的使用权 限的请求获取用户信息并接收物主端发送的委托凭证;  [0034] Step S21: receiving a request for the user to use the device, and acquiring the user information according to the request of the user for the use right of the device, and receiving the proxy certificate sent by the object owner;
[0035] 具体地, 首先在物联网系统中设置代理端, 在用户需要获取某一设备的使用权 吋, 可以通过自身智能终端发送请求到代理端, 代理端根据用户对设备使用权 限的请求, 向物主端请求委托权限, 物主端接收到代理端的请求, 调用并査看 所拥有的设备的使用情况, 筛选出当前正处于空闲状态的设备, 査看这些处于 空闲状态的设备是否处于正常的可使用状态, 对于可以正常使用的设备设置其 对外使用的吋间信息及地点信息; 物主端将可正常使用的设备的数量, 设备的 当前位置, 某一特定设备可对外使用的吋间信息以及可对外使用的地点信息、 代理端的权限范围以及用户必须具备的条件等信息整合成委托凭证发送给代理 山 [0035] Specifically, the agent is first set in the Internet of Things system. After the user needs to obtain the usage right of a certain device, the user can send a request to the agent through the smart terminal, and the agent requests the device according to the user. Requesting the delegate permission from the object owner, the agent receives the request from the agent, calls and checks the usage of the owned device, and filters out the devices that are currently in the idle state. Whether the device in the idle state is in the normal usable state, setting the daytime information and location information of the device for normal use; the number of devices that the object owner can use normally, the current location of the device, a specific The information about the external use of the device, the location information that can be used externally, the scope of the authority of the agent, and the conditions that the user must have are integrated into a proxy certificate and sent to the agent mountain.
[0036] 例如, 某一城市市民可将自己的雨伞、 自行车、 私家车甚至闲置的房屋通过无 线射频识别技术 (Radio Frequency Identification, RFID)接入物联网系统中, 若有 用户向代理端发送物主房屋使用权限, 则代理端向物主端请求委托凭证, 物主 端将目前闲置的房屋的对外使用吋间, 使用的方式 (如用户只能用于自己居住 , 不得用于生产、 制造, 不得对房屋随意改造等) 等信息整合后生成委托凭证 发送给代理端。 [0036] For example, a city citizen can use his own umbrella, bicycle, private car or even idle house to access the Internet of Things system through Radio Frequency Identification (RFID), if a user sends a message to the agent. If the main house uses the authority, the agent requests the entrusted voucher from the agent, and the owner uses the external use of the currently idle house. The method is used (if the user can only use it for his own residence, it cannot be used for production or manufacturing. The information may be generated and sent to the agent after the information is integrated.
[0037] 优选地, 物主端在发送所述委托凭证到代理端前对所述委托凭证进行加密, 发 送加密后的委托凭证到代理端, 代理端对所接收到的加密后的委托凭证进行解 密, 方可获取委托凭证。 事先对委托凭证进行加密, 避免委托凭证在发送过程 中被篡改。  [0037] Preferably, the agent master encrypts the delegation certificate before sending the delegation certificate to the agent, and sends the encrypted delegation certificate to the agent, and the agent performs the encrypted delegation certificate received. Decrypted to obtain the delegation certificate. The entrusted voucher is encrypted in advance to prevent the entrusted voucher from being tampered with during the transmission process.
[0038] 该步骤中, 在代理端向物主端请求委托凭证吋, 物主端会整合当前可对外使用 的设备的各种信息形成委托凭证, 代理端通过委托凭证中包含的各种信息, 响 应用户对某一设备的使用权限的请求。 此过程中由代理端直接向用户授权, 避 免了用户与物主的直接信息交换, 有效的保护了物主的个人信息。 并且在物主 端向代理端发送的委托凭证中包含有设备的使用权限并规定了代理端的权限, 因此, 既能充分的利用现有设备又能充分尊重物主意愿, 达到了物主与用户共 赢的效果。  [0038] In this step, after the agent requests the delegation document from the agent, the object owner integrates various information of the currently available device to form a delegation certificate, and the agent passes various information contained in the delegation certificate. A request to respond to a user's usage rights to a device. In this process, the agent directly authorizes the user, avoiding the direct information exchange between the user and the owner, and effectively protecting the personal information of the owner. And the delegation certificate sent to the agent at the object owner includes the permission of the device and stipulates the authority of the agent. Therefore, the existing device can be fully utilized and the owner's will is fully respected, and the owner and the user are reached. A win-win effect.
[0039] 步骤 S22, 解密所述委托凭证, 并验证所述委托凭证的有效性;  [0039] step S22, decrypting the delegation certificate, and verifying the validity of the delegation certificate;
[0040] 该步骤中, 代理端接收到加密后的委托凭证后对所述委托凭证进行解密, 获取 所述委托凭证的内容, 委托凭证生成的吋间等信息以验证所述委托凭证的有效 性。 [0040] In this step, after receiving the encrypted proxy credential, the proxy decrypts the trusted credential, obtains the content of the entrusted credential, and entrusts the information generated by the credential to verify the validity of the trusted credential. .
[0041] 如图 3所示, 优选地, 所述解密所述委托凭证, 并验证所述委托凭证的有效性 , 具体包括: [0042] 步骤 S221, 解密所述委托凭证, 得到所述委托凭证的生成吋间及委托内容;[0041] As shown in FIG. 3, preferably, the decrypting the delegation certificate and verifying the validity of the delegation document specifically includes: [0042] step S221, decrypting the delegation voucher, and obtaining the generation time and the entrusted content of the entrusted voucher;
[0043] 步骤 S222, 判断所述委托凭证的生成吋间是否在有效期内; [0043] Step S222: determining whether the generation period of the delegation certificate is within a validity period;
[0044] 步骤 S223 , 当所述委托凭证的生成吋间在有效期内吋, 调用预先存储的委托信 息, 匹配所述委托内容与所述委托信息, 根据匹配结果最终判断所述委托凭证 的有效性。  [0044] step S223, when the generation period of the delegation document is within the validity period, calling the pre-stored delegation information, matching the delegation content and the delegation information, and finally determining the validity of the delegation document according to the matching result. .
[0045] 具体地, 由于代理端接收到的委托凭证是经物主端通过代理端的公钥加密后的 委托凭证, 因此, 代理端必须通过自身私钥对所接收到的委托凭证进行解密才 可以获得其中内容。 物主端将委托凭证加密后再发送至代理端, 避免了委托凭 证在发送过程被篡改的危险, 保护了物主及其设备的安全。 代理端解密委托凭 证后获取委托凭证的生成吋间信息及委托内容。 所述委托内容包括设备的当前 位置、 对外幵放的吋间、 对外幵放的地点、 请求使用权限的用户必须满足的条 件、 代理端的代理权限等。  [0045] Specifically, since the proxy credential received by the proxy end is a proxy credential encrypted by the agent terminal through the public key of the proxy end, the proxy end must decrypt the received proxy credential through its own private key. Get the content. The owner encrypts the entrusted voucher and sends it to the agent, which avoids the danger of the credential being falsified during the sending process, and protects the security of the owner and its devices. After the agent decrypts the trusted certificate, the proxy generates the information and the content of the delegation. The commissioned content includes the current location of the device, the time of the external release, the location of the external release, the condition that the user requesting the permission must satisfy, the proxy authority of the agent, and the like.
[0046] 其中所述对外幵放吋间包括指设备可以供物主之外的人的使用吋间, 例如可以 将某种设备的对外幵放吋间设定成每周工作日的上午 8:00-12:00, 设定设备对外 幵放吋间不仅可以满足物主自身使用需求, 也可以在物主不需要使用该设备吋 , 提供给他人使用, 以充分发挥设备的功用; 所述对外幵放地点包括物主之外 的用户可以使用设备的地点, 可以预先在设备上安装定位系统, 设备通过自带 的定位系统判断自身所处的位置, 因此, 可以限定设备必须在物主所在市区或 物主所在市区的某个范围内使用, 若设备定位系统发现所述设备在预先设置的 对外幵放地点以外则立即向代理端发送预警, 提醒代理端关注此设备, 以保证 设备的安全, 保障物主的资产安全; 所述请求使用权限的用户必须满足的条件 包括用户的信用等级、 用户请求的使用权限的范围等; 所述代理端的代理权限 指物主端赋予代理端的可以对物主的设备的处理权限, 物主端既可以在委托凭 证中明确的限定代理端的代理权限范围, 也可以规定代理端可以根据实际情况 自主行使代理权限。  [0046] wherein the external release includes a device that can be used by a person other than the owner. For example, the external release time of a certain device can be set to 8:00 am on a weekly business day. -12:00, setting the device to the outside world not only can meet the owner's own use needs, but also can be used by others after the owner does not need to use the device to fully utilize the function of the device; The location includes the location where the user other than the owner can use the device. The positioning system can be installed on the device in advance. The device determines its location by its own positioning system. Therefore, the device must be located in the urban area where the owner is located. Or use within a certain range of the owner's urban area. If the device location system finds that the device is outside the preset external release location, it immediately sends an alert to the agent to remind the agent to pay attention to the device to ensure the security of the device. Safeguarding the asset security of the owner; the conditions that the user requesting the usage right must satisfy include the credit rating of the user and the use of the user's request The scope of the authority, etc.; the agent authority of the agent refers to the processing authority of the agent that can be given to the agent of the agent, and the agent can specify the scope of the agent's authority in the delegation certificate, and can also specify the agent. Agent authority can be exercised autonomously according to the actual situation.
[0047] 优选地, 所述委托凭证中还可以包括: 物主的个人信息、 物主拥有的设备的参 数, 所述物主的个人信息包括: 物主身份唯一确认凭证, 物主联系方式等, 所 述物主拥有的设备的参数包括: 设备数量, 设备的型号, 设备的简要使用说明 等。 [0047] Preferably, the entrusted voucher may further include: personal information of the owner, parameters of the device owned by the owner, and personal information of the owner includes: a unique confirmation voucher of the owner identity, a contact mode of the owner, etc. The parameters of the equipment owned by the owner include: the number of devices, the model of the device, and the brief instructions for using the device Wait.
[0048] 该步骤中, 代理端将解密委托凭证后获取的委托凭证的生成吋间与预先设置的 有效期进行对比, 以初步确定所述委托凭证的有效性。 所述有效期可以为从接 受到用户的使用权限请求幵始的十分钟内, 或半小吋内, 或一天内; 有效期的 具体设置根据用户所请求的设备不同而不同, 可根据实际情况进行设定, 这里 不做限制。 验证所接收到的委托凭证是否在有效期内, 可以避免物主端在接收 到代理端委托凭证请求吋, 不能及吋处理, 而在物主端有吋间处理吋, 距离用 户发出请求吋已经过很长一段吋间, 造成用户不再需要此设备的使用权限, 而 代理端又赋予了其使用权的状况。 即避免代理端对用户的无效授权。 若所述委 托凭证的生成吋间在有效期范围内, 则初步判定所述委托凭证为有效的委托凭 证。  [0048] In this step, the agent compares the generation time of the delegation voucher obtained after decrypting the delegation voucher with the pre-set validity period to initially determine the validity of the delegation voucher. The validity period may be within ten minutes from the receipt of the user's permission request, or within a half-time, or within one day; the specific setting of the validity period varies according to the device requested by the user, and may be set according to actual conditions. No, there are no restrictions here. Verifying that the received proxy certificate is within the validity period can prevent the owner from receiving the proxy proxy request request, and can not handle it, but after the agent has processed it, the user has made a request. For a long time, the user no longer needs the right to use the device, and the agent gives the right to use it. That is to avoid invalid authorization of the agent to the user. If the generation of the entrusted voucher is within the validity period, the entrusted voucher is initially determined to be a valid entrusted voucher.
[0049] 在初步确定所述委托凭证为有效委托凭证吋, 调用预先存储的委托信息, 对比 所述委托凭证内容与所述委托信息是否一致, 所述委托信息为经权威认证机构 认证过的物主端与代理端之间的代理协议, 包括物主端物主的个人信息、 物主 端委托代理端代理的代理年限、 代理端的负责人的个人信息等。 在所述委托凭 证中的物主个人信息与所述委托信息中的物主的个人信息一致吋, 最终判定所 述委托凭证为有效委托凭证; 将所述委托凭证中的物主的个人信息与所述委托 信息中物主的个人信息进行匹配, 以确定物主身份真实唯一, 同吋也确定该代 理端对该物主端具有合法的代理权限。  [0049] After initially determining that the delegation document is a valid delegation document, invoking pre-stored delegation information, comparing whether the content of the delegation certificate is consistent with the delegation information, the delegation information is an object authenticated by an authoritative certification authority The agent agreement between the master and the agent includes the personal information of the owner of the owner, the agent age of the agent agent of the agent, and the personal information of the person in charge of the agent. After the owner personal information in the delegation document is consistent with the personal information of the owner in the delegation information, the final determination is that the delegation certificate is a valid delegation certificate; and the personal information of the owner in the delegation document is The personal information of the owner in the entrusted information is matched to determine that the owner's identity is truly unique, and the peer also determines that the agent has legal proxy authority to the owner.
[0050] 该步骤中, 代理端通过解密所述委托凭证以获取所述委托凭证的生成吋间, 通 过所述委托凭证的吋间初步判定委托凭证的有效性, 避免了代理端对用户的无 效授权。 然后通过解密后的委托凭证中的物主端物主个人信息与事先存储的物 主个人信息相匹配以确定物主身份及代理端代理的合法性。  [0050] In this step, the agent decrypts the delegation voucher to obtain the generation time of the delegation voucher, and initially determines the validity of the entrusted voucher through the diary of the entrusted voucher, thereby avoiding the invalidity of the agent to the user. Authorization. Then, the personal information of the owner in the decrypted proxy document is matched with the owner personal information stored in advance to determine the identity of the owner and the legitimacy of the agent.
[0051] 步骤 S23, 在所述委托凭证有效吋, 判断所述用户对设备的使用权限的请求是 否符合获取所述设备的使用权限的条件;  [0051] Step S23: After the trusted credential is valid, determine whether the request of the user for the use right of the device is consistent with the condition for obtaining the use right of the device;
[0052] 该步骤中, 在确定物主端发送的委托凭证为有效委托凭证后, 调用发送请求的 用户的个人信息, 由于委托凭证中事先规定了对特定设备请求其使用权限的用 户必须满足一定的条件, 因此, 这里将用户的个人信息与委托凭证中规定的用 户必须具备的条件进行匹配, 在用户符合条件吋才给予其使用权限。 [0052] In this step, after determining that the proxy credential sent by the main object is a valid proxy credential, the personal information of the user who sent the request is invoked, and the user who requests the use permission of the specific device in the entrusted credential must satisfy certain The conditions, therefore, here will be the user's personal information and the use of the vouchers The conditions that the user must have are matched, and the user is given permission to use the user after the condition is met.
[0053] 如图 4所示, 优选地, 所述在所述委托凭证有效吋, 判断所述用户对设备的使 用权限的请求是否符合获取所述设备的使用权限的条件, 具体包括:  [0053] As shown in FIG. 4, the method for determining whether the request for the user to use the device is consistent with the permission to use the device is as follows:
[0054] 步骤 S231 , 在所述委托凭证有效吋, 获取所述用户对设备的使用权限的请求携 带的 ID信息;  [0054] Step S231: After the trusted credential is valid, obtaining ID information carried by the request for the user to use the device;
[0055] 步骤 S232, 获取与所述 ID信息对应的用户信用等级;  [0055] Step S232: Acquire a user credit level corresponding to the ID information.
[0056] 步骤 S233 , 在所述用户信用等级符合要求吋, 判定所述用户对设备的使用权限 的请求符合获取所述设备的使用权限的条件, 否则, 判定所述用户对设备的使 用权限的请求不符合获取所述设备的使用权限的条件。  [0056] Step S233, after the user credit level meets the requirement, determining that the user's request for the device's use right meets the condition for obtaining the use right of the device, otherwise, determining the user's use right for the device. The request does not meet the criteria for obtaining the usage rights of the device.
[0057] 具体地, 确定物主端发送的委托凭证为有效委托凭证后, 调用接收到的用户发 送对设备的使用权限请求吋包含的用户信息, 通过用户信息中的 ID信息调用用 户的信用等级, 将用户的信用等级与预设的信用等级相对比, 只有在用户信用 等级大于或等于预设的信用等级吋, 才判断用户为合法的用户, 符合获取设备 的使用权限的条件, 否则, 判定用户不符合获取所请求设备的使用权限的条件  [0057] Specifically, after determining that the proxy credential sent by the main object is a valid proxy credential, calling the received user to send the user information included in the use permission request of the device, and calling the user's credit rating by using the ID information in the user information. Comparing the user's credit rating with the preset credit rating. Only when the user credit rating is greater than or equal to the preset credit rating, the user is judged to be a legitimate user, and the condition for obtaining the use permission of the device is met. Otherwise, the determination is made. The user does not meet the conditions for obtaining the usage rights of the requested device.
[0058] 该步骤中, 首先对用户的 ID信息进行验证以确定用户的合法性, 在用户为合法 用户吋再对其信用程度进行校验, 只有满足一定信用等级用户才会被授予使用 权限, 用户信用程度高说明其信誉好, 有助于对物主设备的保护。 [0058] In this step, the ID information of the user is first verified to determine the legitimacy of the user, and the credit level is verified after the user is a legitimate user, and the user is granted the permission only if the user meets a certain credit rating. A high degree of user credit indicates a good reputation and helps protect the owner's equipment.
[0059] 步骤 S24, 在所述用户对设备的使用权限的请求符合获取所述设备的使用权限 的条件吋, 生成授权凭证;  [0059] Step S24: Generate an authorization credential after the user's request for the usage right of the device meets the condition for obtaining the use permission of the device.
[0060] 该步骤中, 事先对根据用户对设备使用权限的请求判断用户是否符合授权使用 条件再生成授权凭证, 只对符合授权条件的用户生成授权凭证, 避免了不必要 的授权凭证的生成。 例如有些用户发送对公共自行车设备的使用权限请求, 虽 然请求本身是合法的, 但判断用户的条件吋, 发现用户由于自身条件等原因不 符合授权要求, 则此情况下不生成授权凭证。  [0060] In this step, the user is determined to determine whether the user meets the authorized use condition according to the user's request for the right to use the device, and the authorization credential is generated, and the authorization credential is generated only for the user who meets the authorization condition, thereby avoiding unnecessary authorization credential generation. For example, some users send a request for permission to use a public bicycle device. Although the request itself is legal, but the user's condition is determined, and the user is found to be incapable of complying with the authorization requirement due to his own conditions, etc., the authorization certificate is not generated in this case.
[0061] 步骤 S25, 加密所述授权凭证, 并发送加密后的授权凭证到所述用户, 以使所 述用户通过所述设备对所述授权凭证进行验证。  [0061] Step S25: Encrypt the authorization credential, and send the encrypted authorization credential to the user, so that the user verifies the authorization credential through the device.
[0062] 该步骤中, 代理端对生成的授权凭证进行加密, 发送加密后的授权凭证给用户 。 保证了用户接受到的授权凭证不会被肆意修改。 用户接受到完整的授权凭证 后通过设备对解密后的授权凭证进行验证, 验证通过后即可得到设备的使用权 [0062] In this step, the agent encrypts the generated authorization credential, and sends the encrypted authorization credential to the user. . It is guaranteed that the authorization credentials accepted by the user will not be modified. After receiving the complete authorization certificate, the user verifies the decrypted authorization certificate through the device, and the device can be used after the verification is passed.
[0063] 本发明第一实施例中, 代理端根据用户对设备的使用权限的请求, 接收物主端 发送的加密后的委托凭证; 对所述委托凭证解密后, 验证其有效性, 并确定所 述用户是否有获取所请求设备的使用权限, 在判定出用户有获取所述设备使用 权限后, 生成授权凭证, 对所述授权凭证加密后发送到所述用户。 此过程中由 物主端委托代理端管理其拥有的并作为公共资源使用的设备, 在代理端判定发 送使用权限请求的用户对所请求设备具有合法的使用权吋, 直接发送授权凭证 到所述用户, 无需涉及物主的身份信息, 避免了用户与物主间的直接信息传递 , 从而保护了物主的私人信息。 [0063] In the first embodiment of the present invention, the proxy end receives the encrypted proxy credential sent by the main object according to the user's request for the use right of the device; after decrypting the trusted credential, verifying the validity, and determining Whether the user has obtained the use right of the requested device, and after determining that the user has obtained the use right of the device, generates an authorization credential, encrypts the authorization credential, and sends the authorization credential to the user. In this process, the agent delegates the agent to manage the device that it owns and uses as the public resource. After the agent determines that the user who sent the permission request has the legal right to use the requested device, directly sends the authorization certificate to the The user does not need to involve the identity information of the owner, and avoids the direct information transmission between the user and the owner, thereby protecting the private information of the owner.
[0064] 实施例 2  Embodiment 2
[0065] 图 5示出了本发明第二实施例提供的一种基于物联网的设备使用权限获取方法 的流程图; 如图 5所示, 所述基于物联网的设备使用权限获取方法包括:  [0065] FIG. 5 is a flowchart of a method for acquiring a device usage right of an Internet of Things according to a second embodiment of the present invention. As shown in FIG.
[0066] 步骤 S51, 接收服务器发送的认证信息, 物主信息以及处于正常状态下的设备 f π息; [0066] Step S51, receiving authentication information sent by the server, the owner information, and the device in a normal state;
[0067] 该步骤中, 首先由服务器对代理端进行审査判定, 当代理端满足预设的条件吋 , 则认定其为合法的代理端; 合法的代理端才享有代理权限, 并发送认证信息 到合法的代理端。 服务器统计一定范围内物联网系统中处于正常使用状态下的 各种设备, 以及所述设备的物主信息, 将这些信息整合后发送到具有代理权限 的代理端。 所述认证信息包括: 服务器根据对代理端的调査结果生成的对代理 端的信用评价, 代理端的代理吋间期限等。 另外, 在用户发送设备的使用权限 请求吋, 也可以先査看代理端是否有认证信息, 或根据代理端的认证信息中的 信用评价对代理端做出选择。  [0067] In this step, the server first reviews the agent, and when the agent meets the preset condition, it determines that it is a legitimate agent; the legal agent only enjoys the agent authority and sends the authentication information. To the legal agent. The server counts various devices in the IoT system in a normal use state and the owner information of the device in a certain range, and integrates the information and sends the information to the agent with the agent authority. The authentication information includes: a credit evaluation of the agent generated by the server according to the investigation result of the agent, an agent time limit of the agent, and the like. In addition, after the user sends the device permission request, the agent may first check whether the agent has the authentication information, or select the agent according to the credit evaluation in the agent's authentication information.
[0068] 步骤 S52, 接收用户对设备的使用权限的请求, 根据所述用户对设备的使用权 限的请求获取用户信息并接收物主端发送的委托凭证;  [0068] Step S52: Receive a request for the user to use the device, obtain the user information according to the user's request for the use right of the device, and receive the delegation certificate sent by the object owner;
[0069] 步骤 S53, 解密所述委托凭证, 并验证所述委托凭证的有效性;  [0069] step S53, decrypting the delegation certificate, and verifying the validity of the delegation certificate;
[0070] 步骤 S54, 在所述委托凭证有效吋, 判断所述用户对设备的使用权限的请求是 否符合获取所述设备的使用权限的条件; [0070] Step S54, after the delegation certificate is valid, determining that the user's request for the device usage right is Whether it meets the conditions for obtaining the usage rights of the device;
[0071] 步骤 S55, 在所述用户对设备的使用权限的请求符合获取所述设备的使用权限 的条件吋, 生成授权凭证;  [0071] Step S55: Generate an authorization credential after the user's request for the usage right of the device meets the condition for obtaining the usage right of the device.
[0072] 步骤 S56, 加密所述授权凭证, 并发送加密后的授权凭证到所述用户, 以使所 述用户通过所述设备对所述授权凭证进行验证。 [0072] Step S56: Encrypt the authorization credential, and send the encrypted authorization credential to the user, so that the user verifies the authorization credential through the device.
[0073] 本实施例中步骤 S52-步骤 S56与实施例一中步骤 S21-步骤 S25分别对应, 在此不 再赘述。 [0073] Step S52 to step S56 in the embodiment respectively correspond to step S21 to step S25 in the first embodiment, and details are not described herein again.
[0074] 本发明第二实施例中在接收用户发送的对设备的使用权限的请求, 首先接收服 务器发送的认证信息, 物主信息即可被利用的设备的信息; 由于代理端具有为 物主个人信息保密的义务, 因此, 该步骤中首先对代理端进行认证, 确定其合 法性, 既可以保证物主设备的安全也可以保证物主及用户的个人信息不被随意 泄漏。  [0074] In the second embodiment of the present invention, when receiving a request for the use right of the device sent by the user, first receiving the authentication information sent by the server, and the information of the device that the owner information can be utilized; The obligation to keep personal information confidential, therefore, the agent is first authenticated in this step to determine its legitimacy, which can ensure the security of the owner device and ensure that the personal information of the owner and the user are not randomly leaked.
[0075] 实施例 3  Example 3
[0076] 图 6示出了本发明第三实施例提供的一种基于物联网的设备使用权限获取方法 的流程图; 如图 6所示, 所述基于物联网的设备使用权限获取方法包括:  [0076] FIG. 6 is a flowchart of a method for acquiring usage rights of a device based on the Internet of Things according to a third embodiment of the present invention; as shown in FIG.
[0077] 步骤 S61, 接收服务器发送的认证信息, 物主信息以及处于正常状态下的设备 f π息; [0077] Step S61, receiving authentication information sent by the server, the owner information, and the device in a normal state;
[0078] 步骤 S62, 接收用户对设备的使用权限的请求, 根据所述用户对设备的使用权 限的请求获取用户信息并接收物主端发送的委托凭证;  [0078] Step S62: Receiving a request for the user to use the device, and acquiring the user information according to the request of the user for the use right of the device, and receiving the proxy certificate sent by the object owner;
[0079] 步骤 S63, 解密所述委托凭证, 并验证所述委托凭证的有效性; [0079] step S63, decrypting the delegation certificate, and verifying the validity of the delegation certificate;
[0080] 步骤 S64, 在所述委托凭证有效吋, 判断所述用户对设备的使用权限的请求是 否符合获取所述设备的使用权限的条件; [0080] Step S64: After the trusted credential is valid, determine whether the request of the user for the use right of the device is consistent with the condition for obtaining the use right of the device;
[0081] 步骤 S65, 在所述用户对设备的使用权限的请求符合获取所述设备的使用权限 的条件吋, 生成授权凭证; [0081] Step S65: Generate an authorization credential after the user's request for the usage right of the device meets the condition for obtaining the usage right of the device.
[0082] 步骤 S66, 加密所述授权凭证, 并发送加密后的授权凭证到所述用户, 以使所 述用户通过所述设备对所述授权凭证进行验证。 [0082] Step S66: Encrypt the authorization credential, and send the encrypted authorization credential to the user, so that the user verifies the authorization credential through the device.
[0083] 本实施例中步骤 S61-步骤 S66与实施例二中步骤 S51-步骤 S56分别对应, 在此不 再赘述。 [0084] 步骤 S67, 接收所述设备对所述授权凭证的验证结果, 并发送所述验证结果到 所述物主端。 [0083] Step S61 to step S66 in the embodiment respectively correspond to step S51 to step S56 in the second embodiment, and details are not described herein again. [0084] Step S67: Receive a verification result of the authorization credential by the device, and send the verification result to the object owner.
[0085] 该步骤中, 用户接收到代理端发送的授权凭证后, 用自己的私钥对加密后的授 权凭证进行解密, 以获得使用权限, 用户将授权凭证中包含的信息发送到设备 后, 设备对接收到的信息进行验证, 验证通过则对用户幵放使用权限, 并将所 述验证结果发送到代理端, 以供对其进行记录存档, 并发送验证结果到物主端 , 以使物主得知自己设备的被使用情况。  [0085] In this step, after receiving the authorization credential sent by the proxy, the user decrypts the encrypted authorization credential with its own private key to obtain the use permission, and the user sends the information contained in the authorization credential to the device. The device verifies the received information, and the verification authority passes the user permission, and sends the verification result to the agent for recording and archiving, and sends the verification result to the owner to make the object The master knows how his device is being used.
[0086] 本发明第三实施例中用户得到所请求设备的授权凭证后, 由设备对授权凭证中 包含信息进行验证, 验证通过则对用户幵放使用权限, 并发送验证结果到代理 端, 代理端记录后再发送验证结果到物主端, 这一过程中避免了用户与物主的 直接通信, 既保护了物主个人信息不被泄漏也可保证用户个人的安全。  [0086] In the third embodiment of the present invention, after the user obtains the authorization credential of the requested device, the device verifies the information contained in the authorization credential, and if the verification succeeds, the user is used to release the use authority, and the verification result is sent to the agent, the proxy. After the end record, the verification result is sent to the owner. In this process, the direct communication between the user and the owner is avoided, and the personal information of the owner is protected from being leaked and the personal security of the user is ensured.
[0087] 实施例 4  Example 4
[0088] 与所述基于物联网的设备使用权限获取相对应, 图 7示出了本发明第四实施例 提供的一种基于物联网的设备使用权限获取系统的结构图, 该基于物联网的设 备使用权限获取系统可应用于各种移动终端中。 为了便于说明, 仅示出了与本 发明实施例相关的部分。  [0088] Corresponding to the Internet of Things-based device usage right acquisition, FIG. 7 is a structural diagram of an Internet of Things-based device usage right acquisition system according to a fourth embodiment of the present invention, which is based on the Internet of Things. The device usage right acquisition system can be applied to various mobile terminals. For the convenience of description, only parts related to the embodiment of the present invention are shown.
[0089] 如图 7所述, 所述基于物联网的设备使用权限获取系统包括: 委托凭证获取单 元 71, 委托凭证验证单元 72, 条件判断单元 73, 授权凭证生成单元 74, 授权凭 证加密单元 75, 其中: [0089] As shown in FIG. 7, the Internet of Things-based device usage right acquisition system includes: a delegation certificate obtaining unit 71, a delegation certificate verification unit 72, a condition determination unit 73, an authorization voucher generation unit 74, and an authorization voucher encryption unit 75. , among them:
[0090] 委托凭证获取单元 71, 用于接收用户对设备的使用权限的请求, 根据所述用户 对设备的使用权限的请求获取用户信息并接收物主端发送的委托凭证;  [0090] The proxy credential obtaining unit 71 is configured to receive a request for the user to use the device, and obtain the user information according to the request of the user for the use right of the device, and receive the proxy credential sent by the main object;
[0091] 委托凭证验证单元 72, 用于解密所述委托凭证, 并验证所述委托凭证的有效性 [0091] a delegation voucher verification unit 72, configured to decrypt the delegation voucher, and verify the validity of the delegation voucher
[0092] 优选地, 所述委托凭证验证单元, 具体包括: [0092] Preferably, the delegation certificate verification unit specifically includes:
[0093] 解密模块, 用于解密所述委托凭证, 得到所述委托凭证的生成吋间及委托内容  [0093] a decryption module, configured to decrypt the delegation certificate, and obtain a generation time and a delegation content of the delegation certificate
[0094] 初步判断模块, 用于判断所述委托凭证的生成吋间是否在有效期内; [0094] a preliminary determining module, configured to determine whether the generation period of the delegation certificate is within a validity period;
[0095] 匹配模块, 用于当所述委托凭证的生成吋间在有效期内吋, 调用预先存储的委 托信息, 匹配所述委托内容与所述委托信息, 根据匹配结果最终判断所述委托 凭证的有效性。 [0095] a matching module, configured to: when the generation of the delegation certificate is within a valid period, calling the pre-stored The information is matched with the delegation content and the delegation information, and the validity of the delegation certificate is finally determined according to the matching result.
[0096] 条件判断单元 73, 用于在所述委托凭证有效吋, 判断所述用户对设备的使用权 限的请求是否符合获取所述设备的使用权限的条件;  [0096] The condition judging unit 73 is configured to determine, when the entrusted credential is valid, whether the request of the user for using the device is consistent with the condition for obtaining the use right of the device;
[0097] 优选地, 所述条件判断单元 73, 具体包括: [0097] Preferably, the condition determining unit 73 specifically includes:
[0098] ID获取模块, 用于在所述委托凭证有效吋, 获取所述用户对设备的使用权限的 请求携带的 ID信息;  [0098] an ID obtaining module, configured to acquire ID information carried by the request for the user to use the device when the trusted credential is valid;
[0099] 信用等级获取模块, 用于获取与所述 ID信息对应的用户信用等级;  [0099] a credit rating obtaining module, configured to acquire a user credit rating corresponding to the ID information;
[0100] 条件判断模块, 用于在所述用户信用等级符合要求吋, 判定所述用户对设备的 使用权限的请求符合获取所述设备的使用权限的条件, 否则, 判定所述用户对 设备的使用权限的请求不符合获取所述设备的使用权限的条件。  [0100] a condition judging module, configured to determine that the user's request for the use right of the device meets the condition for obtaining the use right of the device after the user credit level meets the requirement, otherwise, determining that the user is to the device The request to use the permission does not meet the conditions for obtaining the usage rights of the device.
[0101] 授权凭证生成单元 74, 用于在所述用户对设备的使用权限的请求符合获取所述 设备的使用权限的条件吋, 生成授权凭证;  [0101] an authorization credential generating unit 74, configured to generate an authorization credential after the request of the user for the use right of the device is consistent with the condition for obtaining the use right of the device;
[0102] 授权凭证加密单元 75, 用于加密所述授权凭证, 并发送加密后的授权凭证到所 述用户, 以使所述用户通过所述设备对所述授权凭证进行验证。  [0102] The authorization credential encryption unit 75 is configured to encrypt the authorization credential and send the encrypted authorization credential to the user, so that the user verifies the authorization credential through the device.
[0103] 本发明第四实施例中, 代理端根据用户对设备的使用权限的请求, 接收物主端 发送的加密后的委托凭证; 对所述委托凭证解密后, 验证其有效性, 并确定所 述用户是否有获取所请求设备的使用权限, 在判定出用户有获取所述设备使用 权限后, 生成授权凭证, 对所述授权凭证加密后发送到所述用户。 此过程中由 物主端委托代理端管理其拥有的并作为公共资源使用的设备, 在代理端判定发 送使用权限请求的用户对所请求设备具有合法的使用权吋, 直接发送授权凭证 到所述用户, 无需涉及物主的身份信息, 避免了用户与物主间的直接信息传递 , 从而保护了物主的私人信息。  [0103] In the fourth embodiment of the present invention, the proxy end receives the encrypted proxy credential sent by the main object according to the user's request for the use right of the device; after decrypting the trusted credential, verifying the validity, and determining Whether the user has obtained the use right of the requested device, and after determining that the user has obtained the use right of the device, generates an authorization credential, encrypts the authorization credential, and sends the authorization credential to the user. In this process, the agent delegates the agent to manage the device that it owns and uses as the public resource. After the agent determines that the user who sent the permission request has the legal right to use the requested device, directly sends the authorization certificate to the The user does not need to involve the identity information of the owner, and avoids the direct information transmission between the user and the owner, thereby protecting the private information of the owner.
[0104] 实施例五:  Embodiment 5:
[0105] 图 8示出了本发明第五实施例提供的一种基于物联网的设备使用权限获取系统 的结构图; 如图 8所示, 所述基于物联网的设备使用权限获取系统包括:  8 is a structural diagram of a device usage right acquisition system based on the Internet of Things according to the fifth embodiment of the present invention; as shown in FIG. 8, the device usage rights acquisition system based on the Internet of Things includes:
[0106] 信息接收单元 81, 用于接收服务器发送的认证信息、 物主信息以及处于正常状 态下的设备信息。 [0107] 具体地, 首先由服务器对代理端进行审査判定, 当代理端满足预设的条件吋, 则认定其为合法的代理端; 合法的代理端才享有代理权限, 并发送认证信息到 合法的代理端。 服务器统计一定范围内物联网系统中处于正常使用状态下的各 种设备, 以及所述设备的物主信息, 将这些信息整合后发送到具有代理权限的 代理端。 所述认证信息包括: 服务器根据对代理端的调査结果生成的对代理端 的信用评价, 代理端的代理吋间期限等。 另外, 在用户发送设备的使用权限请 求吋, 也可以先査看代理端是否有认证信息, 或根据代理端的认证信息中的信 用评价对代理端做出选择。 [0106] The information receiving unit 81 is configured to receive the authentication information, the owner information, and the device information in a normal state sent by the server. [0107] Specifically, the server first checks and determines the agent, and when the agent meets the preset condition, it determines that it is a legitimate agent; the legal agent only enjoys the agent right, and sends the authentication information to Legal agent. The server counts various devices in the IoT system in a normal use state within a certain range, and the owner information of the device, and integrates the information and sends the information to the agent with the agent authority. The authentication information includes: a credit evaluation of the agent generated by the server according to the investigation result of the agent, an agent time limit of the agent, and the like. In addition, after the user sends the device permission request, the agent may first check whether the agent has the authentication information, or select the agent according to the credit evaluation in the agent's authentication information.
[0108] 委托凭证获取单元 82, 用于接收用户对设备的使用权限的请求, 根据所述用户 对设备的使用权限的请求获取用户信息并接收物主端发送的委托凭证;  [0108] The proxy credential obtaining unit 82 is configured to receive a request for the user to use the device, and obtain the user information according to the request of the user for the use right of the device, and receive the proxy credential sent by the main object;
[0109] 委托凭证验证单元 83, 用于解密所述委托凭证, 并验证所述委托凭证的有效性  [0109] a delegation credential verification unit 83, configured to decrypt the delegation voucher, and verify the validity of the delegation voucher
[0110] 条件判断单元 84, 用于在所述委托凭证有效吋, 判断所述用户对设备的使用权 限的请求是否符合获取所述设备的使用权限的条件; [0110] The condition determining unit 84 is configured to determine, when the trusted credential is valid, whether the request of the user for using the device is consistent with the condition for obtaining the use right of the device;
[0111] 授权凭证生成单元 85, 用于在所述用户对设备的使用权限的请求符合获取所述 设备的使用权限的条件吋, 生成授权凭证; [0111] an authorization credential generating unit 85, configured to generate an authorization credential after the request of the user for the use right of the device is consistent with the condition for obtaining the use right of the device;
[0112] 授权凭证加密单元 86, 用于加密所述授权凭证, 并发送加密后的授权凭证到所 述用户, 以使所述用户通过所述设备对所述授权凭证进行验证。 [0112] The authorization credential encryption unit 86 is configured to encrypt the authorization credential, and send the encrypted authorization credential to the user, so that the user verifies the authorization credential through the device.
[0113] 本实施例中委托凭证获取单元 82、 委托凭证验证单元 83、 条件判断单元 84、 授 权凭证生成单元 85、 授权凭证加密单元 86与实施例四中委托凭证获取单元 71、 委托凭证验证单元 72、 条件判断单元 73、 授权凭证生成单元 74、 授权凭证加密 单元 75分别对应, 在此不再赘述。 [0113] In this embodiment, the delegation credential obtaining unit 82, the delegation credential verification unit 83, the condition judging unit 84, the authorization credential generating unit 85, the authorization credential encryption unit 86, and the entrusted credential obtaining unit 71 and the delegation credential verification unit in the fourth embodiment 72. The condition judging unit 73, the authorization credential generating unit 74, and the authorization credential encrypting unit 75 respectively correspond to each other, and details are not described herein again.
[0114] 本发明第五实施例中在接收用户发送的对设备的使用权限的请求, 首先接收服 务器发送的认证信息, 物主信息即可被利用的设备的信息; 由于代理端具有为 物主个人信息保密的义务, 因此, 该步骤中首先对代理端进行认证, 确定其合 法性, 既可以保证物主设备的安全也可以保证物主及用户的个人信息不被随意 泄漏。 [0114] In the fifth embodiment of the present invention, when receiving a request for the use right of the device sent by the user, first receiving the authentication information sent by the server, and the information of the device that the owner information can be utilized; The obligation to keep personal information confidential, therefore, the agent is first authenticated in this step to determine its legitimacy, which can ensure the security of the owner device and ensure that the personal information of the owner and the user are not randomly leaked.
[0115] 实施例六: [0116] 图 9示出了本发明第六实施例提供的一种基于物联网的设备使用权限获取系统 的结果图; 如图 9所示, 所述基于物联网的设备使用权限获取系统包括: Embodiment 6: [0116] FIG. 9 is a diagram showing a result of an Internet of Things-based device usage right acquisition system according to a sixth embodiment of the present invention. As shown in FIG. 9, the Internet of Things-based device usage right acquisition system includes:
[0117] 信息接收单元 91, 用于接收服务器发送的认证信息、 物主信息以及处于正常状 态下的设备信息。 [0117] The information receiving unit 91 is configured to receive the authentication information, the owner information, and the device information in a normal state sent by the server.
[0118] 委托凭证获取单元 92, 用于接收用户对设备的使用权限的请求, 根据所述用户 对设备的使用权限的请求获取用户信息并接收物主端发送的委托凭证;  [0118] The proxy credential obtaining unit 92 is configured to receive a request for the user to use the device, and obtain the user information according to the user's request for the use right of the device, and receive the proxy credential sent by the main object;
[0119] 委托凭证验证单元 93, 用于解密所述委托凭证, 并验证所述委托凭证的有效性 [0119] a delegation voucher verification unit 93, configured to decrypt the delegation voucher, and verify the validity of the delegation voucher
[0120] 条件判断单元 94, 用于在所述委托凭证有效吋, 判断所述用户对设备的使用权 限的请求是否符合获取所述设备的使用权限的条件; [0120] The condition determining unit 94 is configured to determine, when the trusted credential is valid, whether the request of the user for using the device is consistent with the condition for obtaining the use right of the device;
[0121] 授权凭证生成单元 95, 用于在所述用户对设备的使用权限的请求符合获取所述 设备的使用权限的条件吋, 生成授权凭证;  [0121] an authorization credential generating unit 95, configured to generate an authorization credential after the request for the user's use right of the device is consistent with the condition for obtaining the use right of the device;
[0122] 授权凭证加密单元 96, 用于加密所述授权凭证, 并发送加密后的授权凭证到所 述用户, 以使所述用户通过所述设备对所述授权凭证进行验证。  [0122] The authorization credential encryption unit 96 is configured to encrypt the authorization credential and send the encrypted authorization credential to the user, so that the user verifies the authorization credential through the device.
[0123] 本实施例中信息接收单元 91、 委托凭证获取单元 92、 委托凭证验证单元 93、 条 件判断单元 84、 授权凭证生成单元 95、 授权凭证加密单元 96与实施例四中信息 接收单元 81、 委托凭证获取单元 82、 委托凭证验证单元 83、 条件判断单元 84、 授权凭证生成单元 85、 授权凭证加密单元 86分别对应, 不再赘述。  [0123] The information receiving unit 91, the delegation credential obtaining unit 92, the delegation credential verification unit 93, the condition judging unit 84, the authorization credential generating unit 95, the authorization credential encrypting unit 96, and the information receiving unit 81 in the fourth embodiment, The delegation voucher obtaining unit 82, the delegation voucher verification unit 83, the condition judging unit 84, the authorization voucher generation unit 85, and the authorization voucher encryption unit 86 respectively correspond to each other, and will not be described again.
[0124] 验证结果接收单元 97, 用于接收所述设备对所述授权凭证的验证结果, 并发送 所述验证结果到所述物主端。  [0124] The verification result receiving unit 97 is configured to receive a verification result of the authorization credential by the device, and send the verification result to the object owner.
[0125] 本发明第六实施例中用户得到所请求设备的授权凭证后, 由设备对授权凭证中 包含信息进行验证, 验证通过则对用户幵放使用权限, 并发送验证结果到代理 端, 代理端记录后再发送验证结果到物主端, 这一过程中避免了用户与物主的 直接通信, 既保护了物主个人信息不被泄漏也可保证用户个人的安全。  [0125] In the sixth embodiment of the present invention, after the user obtains the authorization credential of the requested device, the device verifies the information contained in the authorization credential, and if the verification succeeds, the user is used to release the use permission, and the verification result is sent to the agent, the proxy. After the end record, the verification result is sent to the owner. In this process, the direct communication between the user and the owner is avoided, and the personal information of the owner is protected from being leaked and the personal security of the user is ensured.
[0126] 应理解, 在本发明实施例中, 上述各过程的序号的大小并不意味着执行顺序的 先后, 各过程的执行顺序应以其功能和内在逻辑确定, 而不应对本发明实施例 的实施过程构成任何限定。  It should be understood that, in the embodiment of the present invention, the size of the sequence numbers of the foregoing processes does not mean the order of execution sequence, and the execution order of each process should be determined by its function and internal logic, and should not be taken to the embodiment of the present invention. The implementation process constitutes any limitation.
[0127] 本领域普通技术人员可以意识到, 结合本文中所公幵的实施例描述的各示例的 单元及算法步骤, 能够以电子硬件、 或者计算机软件和电子硬件的结合来实现 。 这些功能究竟以硬件还是软件方式来执行, 取决于技术方案的特定应用和设 计约束条件。 专业技术人员可以对每个特定的应用来使用不同方法来实现所描 述的功能, 但是这种实现不应认为超出本发明的范围。 [0127] Those of ordinary skill in the art will recognize the various examples described in connection with the embodiments disclosed herein. The unit and algorithm steps can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
[0128] 所属领域的技术人员可以清楚地了解到, 上述描述的系统、 装置和单元的具体 工作过程, 可以参考前述方法实施例中的对应过程, 在此不再赘述。  For a specific working process of the system, the device and the unit described above, reference may be made to the corresponding process in the foregoing method embodiments, and details are not described herein again.
[0129] 在本申请所提供的几个实施例中, 应该理解到, 所揭露的系统、 装置和方法, 可以通过其它的方式实现。 例如, 以上所描述的装置实施例仅仅是示意性的, 例如, 所述单元的划分, 仅仅为一种逻辑功能划分, 实际实现吋可以有另外的 划分方式, 例如多个单元或组件可以结合或者可以集成到另一个系统, 或一些 特征可以忽略, 或不执行。 另一点, 所显示或讨论的相互之间的耦合或直接耦 合或通信连接可以是通过一些接口, 装置或单元的间接耦合或通信连接, 可以 是电性, 机械或其它的形式。  [0129] In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division, and the actual implementation may have another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed. In addition, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.
[0130] 另外, 在本发明各个实施例中的各功能单元可以集成在一个处理单元中, 也可 以是各个单元单独物理存在, 也可以两个或以上单元集成在一个单元中。  [0130] In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
[0131] 所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用吋, 可 以存储在一个计算机可读取存储介质中。 基于这样的理解, 本发明的技术方案 本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产 品的形式体现出来, 该计算机软件产品存储在一个存储介质中, 包括若干指令 用以使得一台计算机设备 (可以是个人计算机, 服务器, 或者网络设备等) 执 行本发明各个实施例所述方法的全部或部分步骤。 而前述的存储介质包括: u盘 [0131] The functions, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including The instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: u disk
、 移动硬盘、 只读存储器 (ROM, Read-Only , mobile hard disk, read-only memory (ROM, Read-Only
Memory) 、 随机存取存储器 (RAM, Random Access Memory) 、 磁碟或者光盘 等各种可以存储程序代码的介质。  Memory, random access memory (RAM), disk or optical disk, and other media that can store program code.
[0132] 以上所述, 仅为本发明的具体实施方式, 但本发明的保护范围并不局限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易想到变化 或替换, 都应涵盖在本发明的保护范围之内。 因此, 本发明的保护范围应所述 以权利要求的保护范围为准。 The above description is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or within the technical scope disclosed by the present invention. Alternatives are intended to be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.

Claims

权利要求书 Claim
[权利要求 1] 一种基于物联网的设备使用权限获取方法, 其特征在于, 所述基于物 联网的设备权限获取方法包括:  [Claim 1] A method for acquiring a device usage right of an Internet of Things, wherein the method for acquiring device rights based on an Internet of Things includes:
接收用户对设备的使用权限的请求, 根据所述用户对设备的使用权限 的请求获取用户信息并接收物主端发送的委托凭证;  Receiving a request for the user to use the device, obtaining the user information according to the request of the user for using the device, and receiving the delegation certificate sent by the object owner;
解密所述委托凭证, 并验证所述委托凭证的有效性;  Decrypting the delegation voucher and verifying the validity of the delegation voucher;
在所述委托凭证有效吋, 判断所述用户对设备的使用权限的请求是否 符合获取所述设备的使用权限的条件;  After the entrusted voucher is valid, determining whether the request of the user for the use right of the device is consistent with the condition for obtaining the use permission of the device;
在所述用户对设备的使用权限的请求符合获取所述设备的使用权限的 条件吋, 生成授权凭证;  Generating an authorization credential after the user's request for the usage right of the device conforms to the condition for obtaining the usage right of the device;
加密所述授权凭证, 并发送加密后的授权凭证到所述用户, 以使所述 用户通过所述设备对所述授权凭证进行验证。  Encrypting the authorization credential and transmitting the encrypted authorization credential to the user to enable the user to authenticate the authorization credential through the device.
[权利要求 2] 根据权利要求 1所述的基于物联网的设备使用权限获取方法, 其特征 在于, 所述解密所述委托凭证, 并验证所述委托凭证的有效性, 具体 包括:  [Claim 2] The IoT-based device usage right acquisition method according to claim 1, wherein the decrypting the delegation certificate and verifying the validity of the delegation document specifically includes:
解密所述委托凭证, 得到所述委托凭证的生成吋间及委托内容; 判断所述委托凭证的生成吋间是否在有效期内; 当所述委托凭证的生成吋间在有效期内吋, 调用预先存储的委托信息 , 匹配所述委托内容与所述委托信息, 根据匹配结果最终判断所述委 托凭证的有效性。  Decrypting the delegation voucher to obtain the generation time and the entrusted content of the entrusted voucher; determining whether the generation of the entrusted voucher is within the validity period; and when the generation of the entrusted voucher is within the validity period, calling the pre-storage The delegation information matches the delegation content and the delegation information, and finally determines the validity of the delegation certificate according to the matching result.
[权利要求 3] 根据权利要求 2所述的基于物联网的设备使用权限获取方法, 其特征 在于, 所述在所述委托凭证有效吋, 判断所述用户对设备的使用权限 的请求是否符合获取所述设备的使用权限的条件, 具体包括: 在所述委托凭证有效吋, 获取所述用户对设备的使用权限的请求携带 的 ID信息;  [Claim 3] The Internet of Things-based device usage right acquisition method according to claim 2, wherein, when the delegation certificate is valid, determining whether the user's request for the device's usage authority meets the acquisition The condition for the use permission of the device specifically includes: obtaining ID information carried by the request for the user to use the device when the trusted certificate is valid;
获取与所述 ID信息对应的用户信用等级;  Obtaining a user credit rating corresponding to the ID information;
在所述用户信用等级符合要求吋, 判定所述用户对设备的使用权限的 请求符合获取所述设备的使用权限的条件, 否则, 判定所述用户对设 备的使用权限的请求不符合获取所述设备的使用权限的条件。 After the user credit rating meets the requirements, determining that the user's request for the device's usage rights meets the conditions for obtaining the device's usage rights; otherwise, determining that the user is The request for the usage permission does not meet the conditions for obtaining the usage rights of the device.
[权利要求 4] 根据权利要求 1所述的基于物联网的设备使用权限获取方法, 其特征 在于, 在所述接收用户对设备的使用权限的请求, 根据所述用户对设 备的使用权限的请求, 获取用户信息并接收物主端发送的委托凭证之 前, 包括: [Claim 4] The Internet of Things-based device usage right acquisition method according to claim 1, wherein the request for receiving the user's usage right to the device is based on the user's request for the device's usage authority Before obtaining the user information and receiving the delegation certificate sent by the owner, includes:
接收服务器发送的认证信息、 物主信息以及处于正常状态下的设备信 息。  Receive authentication information, owner information, and device information in a normal state.
[权利要求 5] 根据权利要求 1-4任一项所述的基于物联网的设备使用权限获取方法 [Claim 5] The Internet of things-based device usage authority acquisition method according to any one of claims 1-4
, 其特征在于, 在所述加密所述授权凭证, 并发送加密后的授权凭证 到所述用户, 以使所述用户通过所述设备对所述授权凭证进行验证之 后, 包括: And after the encrypting the authorization credential and sending the encrypted authorization credential to the user, so that the user verifies the authorization credential by using the device, the method includes:
接收所述设备对所述授权凭证的验证结果, 并发送所述验证结果到所 述物主端。  Receiving a verification result of the authorization credential by the device, and transmitting the verification result to the object master.
[权利要求 6] —种基于物联网的设备使用权限获取系统, 其特征在于, 所述基于物 联网的设备权限获取系统包括:  [Claim 6] A device usage right acquisition system based on the Internet of Things, wherein the Internet of Things-based device authority acquisition system comprises:
委托凭证获取单元, 用于接收用户对设备的使用权限的请求, 根据所 述用户对设备的使用权限的请求获取用户信息并接收物主端发送的委 托凭证;  The proxy credential obtaining unit is configured to receive a request for the user to use the device, obtain the user information according to the request of the user for the use right of the device, and receive the entrusted voucher sent by the main object;
委托凭证验证单元, 用于解密所述委托凭证, 并验证所述委托凭证的 有效性;  a delegation certificate verification unit, configured to decrypt the delegation certificate, and verify validity of the delegation certificate;
条件判断单元, 用于在所述委托凭证有效吋, 判断所述用户对设备的 使用权限的请求是否符合获取所述设备的使用权限的条件; 授权凭证生成单元, 用于在所述用户对设备的使用权限的请求符合获 取所述设备的使用权限的条件吋, 生成授权凭证; 授权凭证加密单元, 用于加密所述授权凭证, 并发送加密后的授权凭 证到所述用户, 以使所述用户通过所述设备对所述授权凭证进行验证  a condition judging unit, configured to determine, according to the validity of the entrusted credential, whether the request of the user for the use right of the device is consistent with the condition for obtaining the use right of the device; the authorization credential generating unit, configured to be in the user-to-device The request for the use right meets the condition for obtaining the use right of the device, generating an authorization credential; the authorization credential encryption unit, configured to encrypt the authorization credential, and send the encrypted authorization credential to the user, so that the The user authenticates the authorization credential through the device
[权利要求 7] 根据权利要求 6所述的基于物联网的设备使用权限获取系统, 其特征 在于, 所述委托凭证验证单元, 具体包括: [Claim 7] The Internet of Things-based device usage right acquisition system according to claim 6, characterized in that The trusted certificate verification unit specifically includes:
解密模块, 用于解密所述委托凭证, 得到所述委托凭证的生成吋间及 委托内容; a decryption module, configured to decrypt the delegation certificate, to obtain a generation time and a delegation content of the delegation certificate;
初步判断模块, 用于判断所述委托凭证的生成吋间是否在有效期内; 匹配模块, 用于当所述委托凭证的生成吋间在有效期内吋, 调用预先 存储的委托信息, 匹配所述委托内容与所述委托信息, 根据匹配结果 最终判断所述委托凭证的有效性。 a preliminary determining module, configured to determine whether the generation period of the delegation document is within a validity period; and a matching module, configured to: when the generation period of the delegation certificate is within a valid period, call pre-stored delegation information, and match the commission The content and the delegation information finally determine the validity of the delegation document based on the matching result.
根据权利要求 7所述的基于物联网的设备使用权限获取系统, 其特征 在于, 所述条件判断单元, 具体包括: The Internet of Things-based device usage right acquisition system according to claim 7, wherein the condition determining unit specifically includes:
ID获取模块, 用于在所述委托凭证有效吋, 获取所述用户对设备的使 用权限的请求携带的 ID信息;  An ID obtaining module, configured to obtain ID information carried by the request for the user to use the device when the trusted credential is valid;
信用等级获取模块, 用于获取与所述 ID信息对应的用户信用等级; 条件判断模块, 用于在所述用户信用等级符合要求吋, 判定所述用户 对设备的使用权限的请求符合获取所述设备的使用权限的条件, 否则 , 判定所述用户对设备的使用权限的请求不符合获取所述设备的使用 权限的条件。 a credit rating obtaining module, configured to acquire a user credit rating corresponding to the ID information; a condition determining module, configured to determine, according to the user credit rating that the user has a request for the device to use the device The condition of the use permission of the device, otherwise, the request for determining the user's use right of the device does not meet the condition for obtaining the use right of the device.
一种基于物联网的设备使用权限获取系统, 包括存储器、 处理器以及 存储在所述存储器中并可在所述处理器上运行的计算机程序, 其特征 在于, 所述处理器执行所述计算机程序吋实现如权利要求 1至 5任一项 所述基于物联网的设备使用权限获取方法的步骤。 An Internet of things-based device usage rights acquisition system includes a memory, a processor, and a computer program stored in the memory and operable on the processor, wherein the processor executes the computer program The step of implementing the Internet of Things-based device usage right acquisition method according to any one of claims 1 to 5.
一种计算机可读存储介质, 所述计算机可读存储介质存储有计算机程 序, 其特征在于, 所述计算机程序被处理器执行吋实现如权利要求 1 至 5任一项所述基于物联网的设备使用权限获取方法的步骤。 A computer readable storage medium storing a computer program, wherein the computer program is executed by a processor to implement the Internet of Things-based device according to any one of claims 1 to 5. Use the steps to get the method.
PCT/CN2017/093335 2017-06-16 2017-07-18 Method and system for acquiring usage permissions of internet of things-based equipment WO2018227693A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710461378.5 2017-06-16
CN201710461378.5A CN107395567B (en) 2017-06-16 2017-06-16 Equipment use permission obtaining method and system based on Internet of things

Publications (1)

Publication Number Publication Date
WO2018227693A1 true WO2018227693A1 (en) 2018-12-20

Family

ID=60333274

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/093335 WO2018227693A1 (en) 2017-06-16 2017-07-18 Method and system for acquiring usage permissions of internet of things-based equipment

Country Status (2)

Country Link
CN (1) CN107395567B (en)
WO (1) WO2018227693A1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI649997B (en) * 2017-12-20 2019-02-01 中華電信股份有限公司 Internet of things system and information security communication method thereof
CN108200159A (en) * 2017-12-29 2018-06-22 深圳市轱辘车联数据技术有限公司 A kind of vehicle sharing method, server and readable storage medium storing program for executing
CN108551445B (en) * 2018-04-04 2021-02-23 深圳市元征软件开发有限公司 Vehicle sharing method and server
CN108833507B (en) * 2018-05-31 2020-11-10 长安大学 Authorization authentication system and method for shared product
CN108737445B (en) * 2018-06-20 2021-04-02 中国联合网络通信集团有限公司 Security policy sharing method and security policy sharing system
CN109005177B (en) * 2018-08-08 2021-01-29 珠海沃德尔软件科技有限公司 Authorization method and system for handling emergency
CN109670897A (en) * 2018-10-17 2019-04-23 成都途图乐科技有限公司 For the shared parking system and method that single member and vehicle identification determine at present
CN111294379B (en) * 2018-12-10 2022-06-07 北京沃东天骏信息技术有限公司 Block chain network service platform, authority hosting method thereof and storage medium
CN111882842B (en) * 2020-08-04 2022-12-02 珠海格力电器股份有限公司 Early warning method of sharing equipment and sharing equipment
CN113343208A (en) * 2021-05-20 2021-09-03 网易(杭州)网络有限公司 Certificate authorization method, device, terminal and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014187246A1 (en) * 2013-05-24 2014-11-27 成都秦川科技发展有限公司 Internet of things automotive intelligent control panel and internet of things automotive intelligent management system
CN104219328A (en) * 2014-09-26 2014-12-17 宁波市北仑海伯精密机械制造有限公司 Sharing system and sharing method for internet-of-things device
CN105577494A (en) * 2016-01-04 2016-05-11 青岛海信电器股份有限公司 Control method of smart home devices, device and system
CN105635174A (en) * 2016-02-03 2016-06-01 武汉天梯极客网络科技有限公司 Intelligent device sharing method

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104077925A (en) * 2014-06-13 2014-10-01 牛力伟 Stall sharing method, system and server
CN104283881B (en) * 2014-10-11 2017-10-27 上海华和得易信息技术发展有限公司 Method for the Certificate Authority and safe handling of Internet of Things sensing equipment
US9935950B2 (en) * 2015-01-12 2018-04-03 Verisign, Inc. Systems and methods for establishing ownership and delegation ownership of IOT devices using domain name system services
CN106157680A (en) * 2015-04-07 2016-11-23 上海添路电子信息科技发展有限公司 A kind of parking lot management-control method and corresponding parking system
CN104732804A (en) * 2015-04-14 2015-06-24 胥达 Stall resource sharing or renting or parking lot stall trading system and stall resource sharing or renting or parking lot stall trading method
CN105491228B (en) * 2015-11-24 2019-04-19 大连楼兰科技股份有限公司 Share the method and system of vehicle control power
KR101688812B1 (en) * 2016-04-18 2016-12-22 (주)케이사인 Method and system of authorizing/managing iot device based on owner's authorization server

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014187246A1 (en) * 2013-05-24 2014-11-27 成都秦川科技发展有限公司 Internet of things automotive intelligent control panel and internet of things automotive intelligent management system
CN104219328A (en) * 2014-09-26 2014-12-17 宁波市北仑海伯精密机械制造有限公司 Sharing system and sharing method for internet-of-things device
CN105577494A (en) * 2016-01-04 2016-05-11 青岛海信电器股份有限公司 Control method of smart home devices, device and system
CN105635174A (en) * 2016-02-03 2016-06-01 武汉天梯极客网络科技有限公司 Intelligent device sharing method

Also Published As

Publication number Publication date
CN107395567B (en) 2020-05-15
CN107395567A (en) 2017-11-24

Similar Documents

Publication Publication Date Title
WO2018227693A1 (en) Method and system for acquiring usage permissions of internet of things-based equipment
US8843415B2 (en) Secure software service systems and methods
RU2501081C2 (en) Multi-factor content protection
CN102984252B (en) Cloud resource access control method based on dynamic cross-domain security token
CN106487765B (en) Authorized access method and device using the same
US20150304736A1 (en) Technologies for hardening the security of digital information on client platforms
US20120295587A1 (en) Trusted mobile device based security
JP2005228346A (en) Method for associating content with user
CN112187724B (en) Access control method, device, gateway, client and security token service
CA2798024C (en) One time passwords with ipsec and ike version 1 authentication
JP5992535B2 (en) Apparatus and method for performing wireless ID provisioning
US11411731B2 (en) Secure API flow
JP5452192B2 (en) Access control system, access control method and program
WO2013037329A1 (en) Secure digital content sharing method, device, and system
CN110519238B (en) Internet of things security system and communication method based on cryptographic technology
WO2021082222A1 (en) Communication method and apparatus, storage method and apparatus, and operation method and apparatus
WO2017008640A1 (en) Method for issuing access token and related device
US20240039707A1 (en) Mobile authenticator for performing a role in user authentication
Tiwari et al. Design and Implementation of Enhanced Security Algorithm for Hybrid Cloud using Kerberos
WO2013083072A1 (en) Method and system for digital content online reading authentication
CN113329003B (en) Access control method, user equipment and system for Internet of things
CN115987636B (en) Information security implementation method, device and storage medium
CN114785566B (en) Data processing method, device and equipment
KR20120096779A (en) Method for access controll of client in home network system and apparatus thereof
CN117473525A (en) SGX-based user-controllable medical data secure sharing method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17913886

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC , EPO FORM 1205A DATED 20.05.2020.

122 Ep: pct application non-entry in european phase

Ref document number: 17913886

Country of ref document: EP

Kind code of ref document: A1