WO2021046822A1 - Device activation method, terminal device, and computer storage medium - Google Patents

Device activation method, terminal device, and computer storage medium Download PDF

Info

Publication number
WO2021046822A1
WO2021046822A1 PCT/CN2019/105784 CN2019105784W WO2021046822A1 WO 2021046822 A1 WO2021046822 A1 WO 2021046822A1 CN 2019105784 W CN2019105784 W CN 2019105784W WO 2021046822 A1 WO2021046822 A1 WO 2021046822A1
Authority
WO
WIPO (PCT)
Prior art keywords
credential
owner
transfer method
resource
supported
Prior art date
Application number
PCT/CN2019/105784
Other languages
French (fr)
Chinese (zh)
Inventor
杨宁
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to CN201980095274.4A priority Critical patent/CN113647075B/en
Priority to PCT/CN2019/105784 priority patent/WO2021046822A1/en
Publication of WO2021046822A1 publication Critical patent/WO2021046822A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to the field of communication technology, and in particular to a device activation method, terminal device and computer storage medium.
  • the newly added terminal device can interact with the activated terminal device after it is activated.
  • the traditional device activation method is: configure device ownership, that is, a legitimate user uses an Owner Transfer Method (Owner Transfer Method, OTM) to establish the ownership of a terminal device through an activation tool (Onboarding Tool, OBT). After the ownership is established, set the device to the normal operating state, including using OBT to configure the terminal device to authorize the management service, and the management service to set the terminal device with the credentials and access permissions required to interact with other activated terminal devices.
  • OTM Owner Transfer Method
  • OBT Onboarding Tool
  • the terminal device can operate normally and interact with the activated terminal device.
  • the process of realizing device activation can specifically include: discovering new terminal devices, executing owner transfer methods, establishing device identity, establishing owner credentials, assigning devices to management services, configuring device management services, and preparing for interaction between devices, resulting in cumbersome operations , Increase the transmission overhead.
  • the embodiments of the present application provide a device activation method, terminal device, and computer storage medium, which can simplify operation procedures and save transmission overhead.
  • an embodiment of the present application provides a device activation method, including:
  • the first device receives resource information sent by the second device, where the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: Credential type, configuration mode supported by the second device, working status of the second device, and access authority information;
  • the first device sends a second owner transfer method and a client-led configuration mode for the second device configuration to the second device, and the second owner transfer method is the one in the first owner transfer method At least one method of owner transfer;
  • the first device performs a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection
  • the first device sends credential information to the second device through the secure connection, and the credential information includes the owner credential, the credential for AMS to access the second device, and the credential for CMS to access the second device, the The owner's credential is determined according to the type of credential supported by the second device, so that the management service sends to the second device the security resources required by the second device to interact with the third device.
  • the device is an activated terminal device, and the management service includes the AMS and/or the CMS.
  • an embodiment of the present application provides a device activation method, including:
  • the second device sends resource information to the first device, where the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: credentials supported by the second device Type, the configuration mode supported by the second device, the working status of the second device, and access authority information;
  • the second device performs a DTLS handshake with the first device according to the second owner transfer method to establish a secure connection
  • the second device receives the credential information sent by the first device through the secure connection, the credential information includes the owner credential, the credential for AMS to access the second device, and the credential for CMS to access the second device, so
  • the owner's certificate is determined according to the type of certificate supported by the second device;
  • the second device receives a security resource that is required when interacting with a third device sent by a management service, the third device is an activated terminal device, and the management service includes the AMS and/or the CMS.
  • an embodiment of the present application provides a first device that has a function of implementing the method described in the first aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more units corresponding to the above-mentioned functions.
  • an embodiment of the present application provides a first device, the first device includes a processor, and the processor is coupled with the memory, wherein:
  • the memory is used to store instructions
  • the processor is configured to receive resource information sent by a second device, where the resource information includes a first owner transfer method supported by the second device, and the resource information further includes at least one of the following: the second The type of credential supported by the device, the configuration mode supported by the second device, the working status of the second device, and access authority information; and the second owner configured to the second device is sent to the second device Transfer method and client-led configuration mode, the second owner transfer method is at least one owner transfer method among the first owner transfer methods; performing DTLS with the second device according to the second owner transfer method Shaking hands to establish a secure connection; and sending credential information to the second device through the secure connection, the credential information including the owner credential, the credential for AMS to access the second device and the credential for CMS to access the second device ,
  • the owner's certificate is determined according to the type of certificate supported by the second device, so that the management service sends the second device to the second device the security resources needed when the second device interacts with the third device, so
  • the third device is an activate
  • an embodiment of the present application provides a second device that has a function of implementing the method described in the second aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more units corresponding to the above-mentioned functions.
  • an embodiment of the present application provides a second device, the second device includes a processor, and the processor is coupled with the memory, wherein:
  • the memory is used to store instructions
  • the processor is configured to send resource information to a first device, the resource information includes a first owner transfer method supported by the second device, and the resource information further includes at least one of the following: the second device Supported credential types, configuration modes supported by the second device, working status of the second device, and access authority information; receiving the second owner transfer method and client-led configuration sent by the first device Mode, the second owner transfer method is at least one owner transfer method among the first owner transfer methods; DTLS handshake with the first device is performed according to the second owner transfer method to establish a secure connection; receiving; The credential information sent by the first device via the secure connection, the credential information includes the owner’s credential, the AMS’s credential for accessing the second device and the CMS’s credential for accessing the second device, the owner’s credential is based on The type of credential supported by the second device is determined; and the security resource required to interact with a third device sent by the management service is received.
  • the third device is an activated terminal device, and the management service includes the AMS and
  • an embodiment of the present application provides a computer storage medium, wherein the computer-readable storage medium stores a computer program or instruction, and when the program or instruction is executed by a processor, the processor executes The device activation method as described in the first aspect.
  • the embodiments of the present application provide a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute Part or all of the steps described in the first aspect of the application embodiment.
  • the computer program product may be a software installation package.
  • an embodiment of the present application provides a computer storage medium, wherein the computer-readable storage medium stores a computer program or instruction, and when the program or instruction is executed by a processor, the processor executes The device activation method as described in the second aspect.
  • an embodiment of the present application provides a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute Part or all of the steps described in the second aspect of the application embodiment.
  • the computer program product may be a software installation package.
  • the first device receives the resource information sent by the second device at one time
  • the resource information includes the first owner transfer method supported by the second device
  • the resource information further includes at least one of the following: Supported credential types, configuration modes supported by the second device, working status of the second device, and access authority information.
  • the first device sends to the second device the second owner transfer method and client for the second device configuration at one time
  • the first device performs a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection, and then the first device sends the owner's credentials to the second device through the secure connection at a time, and AMS accesses the second device’s
  • the voucher and the voucher for CMS to access the second device, so that the management service can send to the second device the security resources needed when the second device interacts with the third device.
  • Batch processing can be carried out and the device activation process can be merged to simplify the operation process. Save transmission overhead.
  • FIG. 1 is a schematic diagram of the architecture of a communication system provided by an embodiment of the present application.
  • Figure 2 is a schematic diagram of a collection resource provided by an embodiment of the present application.
  • FIG. 3 is an example flowchart of a device activation method provided by an embodiment of the present application.
  • FIG. 4 is a block diagram of the functional unit composition of a first device provided by an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of a first device provided by an embodiment of the present application.
  • FIG. 6 is a block diagram of a functional unit composition of a second device provided by an embodiment of the present application.
  • Fig. 7 is a schematic structural diagram of a second device provided by an embodiment of the present application.
  • Fig. 1 shows a schematic diagram of the architecture of a communication system involved in the present application.
  • the communication system may include a first device 101, a second device 102, a third device 103, and a management service 104.
  • the first device 101 establishes a communication connection with the second device 102 and the management service 104 respectively, and the second device 102 respectively establishes a communication connection with the management service 104.
  • 104 and the third device 103 establish a communication connection.
  • the first device 101 may be an activation tool (Onboarding Tool, OBT) device.
  • OBT Onboarding Tool
  • a legitimate user can use an Owner Transfer Method (Owner Transfer Method, OTM) through OBT devices to establish device ownership.
  • OTM Owner Transfer Method
  • the second device 102 can be set to a normal operating state, for example, the second device 102 can be configured with an OBT device to authorize the management service 104.
  • the first device may be a client, specifically an entity that operates server resources.
  • the second device 102 may be a device to be activated.
  • OCF Open Connectivity Foundation
  • devices need to be activated before they can operate in the network or interact with other activated devices. Based on this, the embodiments of this application will need to be activated
  • the device is called the device to be activated.
  • the second device may be a server.
  • the third device 103 may be an activated device.
  • the management service 104 may include an access management service (Access Management Service, AMS), a security credential management service (Credential Management Service, CMS), or a device ownership transfer service (Device Ownership Transfer Service, DOTS).
  • AMS Access Management Service
  • CMS security credential management service
  • DOTS Device Ownership Transfer Service
  • the management service 104 can set the credentials and access permissions for the second device 102 to interact with the third device 103, and finally enable the second device 102 to operate normally and interact with the third device 103.
  • the traditional device activation method is: discover new terminal devices, execute owner transfer method, establish device identity, establish owner credential, assign device to management service, configure device management service, and prepare for interaction between devices.
  • the execution sequence of the above operations It is fixed, and only one Security Virtual Resource (SVR) is operated at a time, which results in a cumbersome interaction process and high transmission overhead.
  • SVR Security Virtual Resource
  • the present application provides a device activation method.
  • the first device 101 can receive resource information sent by the second device 102, the resource information includes the first owner transfer method supported by the second device 102, and the resource information further includes at least one of the following: The credential type supported by the second device 102, the configuration mode supported by the second device 102, the working status of the second device 102, and the access authority information; the first device 101 sends to the second device 102 the configuration of the second device 102
  • the second owner transfer method and the client-led configuration mode, the second owner transfer method is at least one owner transfer method among the first owner transfer methods; the first device 101 performs data with the second device 102 according to the second owner transfer method
  • the packet transport layer security protocol Datagram Transport Layer Security, DTLS
  • the credential information includes the owner’s credential.
  • AMS accesses the second device 102.
  • the owner's credentials are determined according to the type of credentials supported by the second device 102, so that the management service 104 sends to the second device 102 that the second device 102 interacts with the third device 103 The required security resources.
  • this application can operate multiple SVRs at a time, that is, the device activation process is merged in batch processing, thereby simplifying the operation process and saving transmission overhead.
  • the SVR may include at least one of the following: owner transfer method, voucher type, configuration mode supported by the second device 102, working status of the second device 102, access authority information, client-led configuration mode, owner credential, AMS access section The credentials of the second device 102 and the credentials of the CMS to access the second device 102, as well as security resources, and so on.
  • the SVR may include "/oic/sec/doxm”, “/oic/sec/pstat", “/oic/sec/cred”, “/oic/sec/acl2” and other /oic/sec/obd resources.
  • the "/oic/sec/doxm” resource is a resource defined by the OCF standard, which describes the ownership transfer method supported by the second device 102 and the currently used ownership transfer method.
  • the "/oic/sec/pstat” resource is a resource defined by the OCF standard, which describes the configuration mode type supported by the second device 102 and the currently configured configuration mode.
  • the "/oic/sec/cred” resource is a resource defined by the OCF standard, and describes the credential information required to access the second device 102.
  • the “/oic/sec/acl2" resource is a resource defined by the OCF standard, which describes the access authority information of the second device 102 and so on.
  • FIG. 2 is a schematic diagram of Collection resources.
  • Collection resources can include OCF Links.
  • OCF Links represents a collection of one or more link resources. Multiple target resources or other Collection resources can be referenced through Collection resources.
  • a Collection resource contains the switch resources of device A (device identification is light) and the switch resources of device B (device identification is fan), forming a centralized resource group.
  • the client can request multiple resources at the same time by accessing the oic.if.b interface of the Collection resource.
  • the Collection resource handler will send the request to each resource in the links, and collect the response returned by each resource, and then return it in a unified manner. To the client.
  • the oic.if.b interface refers to an access interface used to access a batch of resources.
  • the second device may increase the /oic/sec/obd resource when it starts or enters the device ready OTM state (RFOTM).
  • the /oic/sec/obd resource may include the /oic/sec/doxm resource, the /oic/sec/pstat resource, the /oic/sec/cred resource, and the /oic/sec/acl2 resource, etc.
  • the /oic/sec/doxm resource can include the first owner transfer method supported by the second device, the /oic/sec/pstat resource can include the configuration mode supported by the second device, and the /oic/sec/cred resource can include the second
  • the type of credential and credential information supported by the device, the /oic/sec/acl2 resource can include access authority information, etc.
  • the first device can send a resource acquisition request to the second device through the oic.if.b interface that accesses the Collection resource, and the second device can use the Collection resource to convert the resource acquisition request into an owner transfer method acquisition request, configuration mode acquisition request, and voucher type Acquisition request and access permission acquisition request.
  • the second device may send the owner transfer method acquisition request to the /oic/sec/doxm resource through the Collection resource, and obtain the first owner transfer method supported by the second device from the /oic/sec/doxm resource.
  • the second device may send the configuration mode acquisition request to the /oic/sec/pstat resource through the Collection resource, and obtain the configuration mode supported by the second device from the /oic/sec/pstat resource.
  • the second device may send the credential type acquisition request to the /oic/sec/cred resource through the Collection resource, and obtain the credential type supported by the second device from the /oic/sec/cred resource.
  • the second device may send the access permission acquisition request to the /oic/sec/acl2 resource through the Collection resource, and obtain the access permission information from the /oic/sec/acl2 resource. Then, the second device can package the first owner transfer method supported by the second device, the configuration mode supported by the second device, the credential type supported by the second device, and the access authority information through the collection resource to generate resource information. Then, the second device can send the resource information to the first device through the collection resource.
  • FIG. 3 is a device activation method provided by an embodiment of the present application, and the method includes:
  • the second device sends resource information to the first device, the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: a credential type supported by the second device, Supported configuration modes, working status of the second device, and access authority information.
  • the first device may receive the resource information sent by the second device in a GET manner on a user datagram protocol (User Datagram Protocol, UDP) unicast channel.
  • UDP User Datagram Protocol
  • the second device returns the owner transfer method supported by the second device, the credential type supported by the second device, the configuration mode supported by the second device, the current working status of the second device, and the default acl2( "Anon-clear" and "auth-crypt” type ace2).
  • the owner transfer method supported by the second device may include at least one of the following: a simple (Just-works) method, a personal identification number (Personal Identification Number, PIN) method, a certificate method, and a manufacturer-defined method.
  • the voucher type supported by the second device may include symmetric voucher and/or asymmetric voucher.
  • a symmetric certificate may include a pair of symmetric keys or a group of symmetric keys.
  • Asymmetric credentials can include certificates or original asymmetric keys.
  • the configuration mode supported by the second device may include at least one of the following: a client-led configuration mode, a server-led and utilized a single configuration service, and a server-led and utilized multiple configuration services.
  • Device configuration can be client-led or server-led.
  • the client-led configuration relies on the client device to determine what, how, and when server-side resources should be instantiated and updated.
  • the server-led configuration depends on the server seeking configuration when the conditions are specified.
  • the server-led configuration relies on the configuration of the "rowneruuid" attribute in the "/oic/sec/doxm", “/oic/sec/cred” and “/oic/sec/acl2" resources to indicate the trusted DOTS respectively , CMS and AMS service device ID. Further, "/oic/sec/cred” should be configured with necessary credentials when the owner transfers it to establish a secure connection with appropriate supporting services.
  • the configuration status resource "/oic/sec/pstat" is used to enable the second device to perform self-directed configuration.
  • the second device knows its current configuration state and target configuration object. If there is a difference between the current and target states, the second device should query the "rowneruuid" attribute of the "/oic/sec/cred” resource to find out whether there is any suitable configuration service. If it is set to active, the second device should request configuration.
  • the om attribute of the "/oic/sec/pstat" resource will specify the expected device behavior under these conditions.
  • the self-directed configuration enables the device to operate with greater autonomy, so as to minimize the dependence on the central configuration organization and prevent it from becoming a single point of failure in the network.
  • the current working state of the second device may be RFOTM, device ready for configuration state (RFPRO), device ready for normal operation state (RFNOP), device reset state (RESET), or device soft reset state (SRESET).
  • RFPRO device ready for configuration state
  • RFIDP device ready for normal operation state
  • RESET device reset state
  • SRESET device soft reset state
  • the platform manufacturer should provide a physical mechanism (such as a button) to force the platform to reset. All devices carried on the same platform change the state of the second device to RESET when the platform is reset. When the device status is RESET, all SVR content is deleted and reset to the manufacturer's default value. The default manufacturer's device status is RESET. After successfully executing the RESET, the SRM transitions to the RFOTM state by setting the "s" attribute of the "/oic/sec/dostype" resource to RFOTM.
  • the second device in the RFOTM state refers to an operable device that is ready for ownership transfer.
  • the device status is RFOTM
  • OTM before OTM is successful, set the deviceuuid attribute of the "/oic/sec/doxm” resource to a temporary non-repeated value.
  • the "s" attribute of the "/oic/sec/dostype” resource is read-only for unauthenticated requesters.
  • the "s" attribute of the "/oic/sec/dostype” resource is readable and writable for the authorized requester.
  • SRM Secure Resource Manager
  • DOTS The state of other equipment cannot be changed unless the state of the equipment returns to RFOTM from RESET. DOTS may need to perform other configuration tasks in the RFOTM state. After completion, DOTS changes the "owned” attribute of the "/doxm” resource to "true".
  • RFPRO means that the second device is ready for other configurations.
  • the "s" attribute of the "/oic/sec/dostype" resource is read-only for unauthorized requesters and readable and writable for authorized requesters.
  • Authorized clients can configure SVR according to the requirements of the normal operation of RFNOP.
  • Authorized clients can perform a consistency check on the SVR to determine which should be reconfigured. Unsuccessful configuration of SVR may trigger the status change to RESET. For example, if the device has been converted from SRESET, but the consistency check continues to fail.
  • Authorize the client to set /pstat.dos.s RFNOP.
  • RFNOP refers to the final state of the second device that is an operable device.
  • the device status is RFNOP
  • the "/pstat.dos.s" attribute is read-only for unauthorized requesters and readable and writable for authorized requesters. With normal access procedures, SVRs and core resources can be accessed. The authorized client can convert the device to RFPRO. Only the device owner can switch the device to SRESET or RESET.
  • SRESET means that the second device is inoperable but still owned by the current owner.
  • SVR integrity cannot be guaranteed, but it is necessary to access certain SVR attributes.
  • SVR attributes include the devowneruuid attribute of the "/oic/sec/doxm” resource, the "creds”: [ ⁇ ..., ⁇ "subjectuuid”: ⁇ devowneruuid> ⁇ ,... ⁇ ] attribute of the "/oic/sec/cred” resource and the "/ The "s” attribute of the "/oic/sec/dostype” resource of the "oic/sec/pstat" resource.
  • the certificate for identifying and authorizing the device owner is sufficient to recreate the minimum required "/cred” and "/doxm” resources so that the device owner can control SRESET. If SRM cannot establish these resources, it will transition to the RESET state.
  • Authorized device owners can avoid entering the RESET and RFOTM states by writing RFPRO or RFNOP into the "dos.s" attribute of the "/pstat” resource.
  • ACLs on SVR are considered invalid. Only the device owner can access it.
  • the first device acquires the resources that need to be acquired multiple times in the traditional device activation method at one time, which simplifies the operation process and saves transmission overhead.
  • the first device may discover the device to be activated, that is, the second device. After the first device discovers the second device, it receives the resource information sent by the second device.
  • the second device may generate the resource information when detecting that the operating state of the second device is updated to the RFOTM state.
  • the /oic/sec/obd resource is automatically added when the second device enters the RFOTM state.
  • the /oic/sec/obd resource is a Collection resource (ie "oic.wk.col” type), which refers to the following target resources (for example, /oic/sec/doxm, /oic/sec/pstat, /oic/sec/cred, /oic/sec/acl2), the /oic/sec/obd resource supports the "oic.if.b" interface.
  • the device activation process can be implemented by performing an "oic.if.b" interface operation on the /oic/sec/obd resource.
  • the second device before the second device sends the resource information to the first device, the second device generates the resource information when detecting that the second device is in a running state.
  • the second device automatically generates the /oic/sec/obd resource when it is started.
  • the second device deletes the resource information when detecting that the operating state of the second device is updated to the RFNOP state or the RESET state.
  • the /oic/sec/obd resource can be automatically deleted.
  • the resource information may not be deleted.
  • the /oic/sec/obd resource may not be deleted, but the owner's Universally Unique Identifier (UUID) of the resource may be set as the device owner's UUID .
  • UUID Universally Unique Identifier
  • S302 The first device sends to the second device the second owner transfer method for the configuration of the second device and the client-led configuration mode.
  • the second owner transfer method is at least one owner transfer method among the first owner transfer methods.
  • the first device may send the second owner transfer method for the configuration of the second device and the client-led configuration mode to the second device in a POST manner on the UDP unicast channel.
  • the first device sends the resources that need to be sent multiple times in the traditional device activation method to the second device at one time, which can simplify the operation process and save transmission overhead.
  • the first device configures the second owner transfer method for the second device, which can realize the establishment of device ownership.
  • the goal of establishing device ownership is to allow legitimate users who own or purchase the second device to become the owner and administrator of the second device.
  • This process includes using OBT to establish ownership information between the second device and the first device, and to control and manage the second device.
  • OBT is a logical entity running on the second device or the first device, such as a network management console, device management tool, network monitoring tool, network configuration tool, home gateway or home automation controller.
  • the physical device running OBT should meet some security reinforcement requirements, and use integrity and confidentiality protection for the stored credentials.
  • the tool or server that establishes ownership is often referred to as OBT.
  • the "owner transfer" is used here because even for a new device, its ownership is transferred from the manufacturer to the purchaser.
  • S303 The first device performs a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection.
  • the first device can execute Just-Works OTM for DTLS handshake to establish a secure connection.
  • S304 The first device sends the credential information to the second device through the secure connection.
  • the credential information may include the owner's credential, the credential for the AMS to access the second device and the credential for the CMS to access the second device, and the owner's credential is determined according to the type of credential supported by the second device.
  • the first device may send the credential information to the second device through a POST method and a secure connection on a UDP unicast channel.
  • the owner's certificate may be composed of a certificate signed by the first device or other organization, user network access information, shared key, and so on.
  • the first device sends the resources that need to be sent multiple times in the traditional device activation method to the second device at one time, which can simplify the operation process and save transmission overhead.
  • the second device after the second device receives the credential information sent by the first device through the secure connection, if the second device successfully updates the data according to the credential information, the second device can update the operating status of the second device to the RFPRO state , The second device sends a first feedback message to the first device, and the first feedback message is used to indicate that the second device successfully updates the data.
  • the first feedback message may include the updated owner UUID and the device persistent UUID.
  • the first feedback message is used to indicate the first device.
  • the device successfully updated the data. If the second device fails to update the data, the second device sends a failure indication message to the first device.
  • the second device before the second device updates the operating status of the second device to the RFPRO state, when the second device accesses the owner UUID, resource owner UUID, owner's credentials, CMS's credentials for accessing the second device, and AMS access When the credentials of the second device are all updated successfully, the second device determines that the data update is successful.
  • the second device after the second device receives the credential information sent by the first device through the secure connection, if the second device fails to update data according to the credential information, the second device sends a second feedback message to the first device, and the second device sends a second feedback message to the first device.
  • the feedback message is used to indicate that the second device fails to update the data.
  • the second device if the second device fails to update the owner UUID, or fails to update the resource owner UUID, or fails to update the owner credential, or fails to update the CMS credential, or fails to update the AMS credential, the second device sends a second feedback to the first device Message, such as ⁇ "msg":"Internal Server operation error", "ec":2000 ⁇ .
  • the second device after the second device receives the credential information sent by the first device through the secure connection, if the second device does not support updating the device persistent UUID, the second device sends the device persistent UUID stored in the second device to the first device. UUID.
  • the second device after the second device receives the credential information sent by the first device through the secure connection, if the second device fails to update the device's persistent UUID, the second device sends a second feedback message to the first device, and the second device sends a second feedback message to the first device.
  • the feedback message is used to indicate that the second device fails to update the data.
  • the second device sends a second feedback message to the first device, such as ⁇ "msg":"Invalid parameter","ec":1100 ⁇ .
  • S305 The management service sends to the second device the security resources required when the second device interacts with the third device.
  • the first device may close the DTLS connection.
  • the first device receives the resource information sent by the second device at one time
  • the resource information includes the first owner transfer method supported by the second device
  • the resource information further includes at least one of the following: The type of credential, the configuration mode supported by the second device, the working status of the second device, and the access authority information
  • the first device sends to the second device the second owner transfer method and client-led configuration of the second device at one time
  • the first device performs a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection, and then the first device sends the owner's credentials to the second device through the secure connection at one time
  • the AMS accesses the credentials of the second device and CMS accesses the credentials of the second device, so that the management service can send the security resources required by the second device to the third device when the second device interacts with the third device.
  • Batch processing can be carried out and the device activation process can be merged, thereby simplifying the operation process and saving transmission Overhead.
  • the terminal device includes a hardware structure and/or software module corresponding to each function.
  • the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
  • the embodiment of the present application may divide the terminal device into functional units according to the foregoing method examples.
  • each functional unit may be divided corresponding to each function, or two or more functions may be integrated into one processing unit.
  • the above-mentioned integrated unit can be realized in the form of hardware or software program module. It should be noted that the division of units in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
  • FIG. 4 shows a block diagram of a possible functional unit composition of the first device involved in the foregoing embodiment, and the first device includes:
  • the communication unit 401 is configured to receive resource information sent by a second device, where the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: the second device Supported credential types, configuration modes supported by the second device, working status of the second device, and access authority information.
  • the communication unit 401 is further configured to send a second owner transfer method configured to the second device and a client-led configuration mode to the second device, and the second owner transfer method is the first owner transfer method At least one of the owner’s transfer methods.
  • the processing unit 402 is configured to perform a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection.
  • the communication unit 401 is further configured to send credential information to the second device through the secure connection, the credential information including the owner's credential, the credential for AMS to access the second device and the credential for CMS to access the second device,
  • the owner credential is determined according to the credential type supported by the second device, so that the management service sends to the second device the security resources required by the second device to interact with the third device.
  • the third device is an activated terminal device, and the management service includes the AMS and/or the CMS.
  • the processing unit 402 may be a processor or a controller, and the communication unit 401 may be a transceiver, a transceiver circuit, a radio frequency chip, or the like.
  • the receiving of the resource information sent by the second device by the communication unit 401 includes:
  • the resource information sent by the second device is received in a GET manner on the UDP unicast channel.
  • the communication unit 401 sending the second owner transfer method for the second device configuration and the client-led configuration mode to the second device includes:
  • the second owner transfer method and the client-led configuration mode of the configuration of the second device are sent to the second device through the POST method on the UDP unicast channel.
  • the communication unit 401 sending credential information to the second device through the secure connection includes:
  • the credential information is sent to the second device through the POST mode and the secure connection on the UDP unicast channel.
  • the terminal device involved in the embodiment of the present application may be the first device shown in FIG. 5.
  • first device shown in FIG. 4 and FIG. 5 may be used to implement the steps performed by the first device in the above-mentioned embodiment, which will not be repeated in this embodiment of the application.
  • the communication unit 1001 receives the resource information sent by the second device, and sends the second owner transfer method and the client-led configuration mode for the second device configuration to the second device, and the processing unit 1002 according to the second owner
  • the transfer method performs a DTLS handshake with the second device to establish a secure connection.
  • the communication unit 1001 sends credential information to the second device through the secure connection, so that the management service sends the second device to the second device when the second device interacts with the third device. Safe resources can simplify the operation process and save transmission overhead.
  • FIG. 6 shows a block diagram of a possible functional unit composition of the second device involved in the foregoing embodiment, and the first device includes:
  • the communication unit 601 is configured to send resource information to a first device, where the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: Supported credential types, configuration modes supported by the second device, working status of the second device, and access authority information.
  • the communication unit 601 is further configured to receive a second owner transfer method and a client-led configuration mode sent by the first device, and the second owner transfer method is at least one owner transfer method among the first owner transfer methods method.
  • the processing unit 602 is configured to perform a DTLS handshake with the first device according to the second owner transfer method to establish a secure connection.
  • the communication unit 601 is further configured to receive credential information sent by the first device via the secure connection, the credential information includes owner credential, AMS credential for accessing the second device, and CMS credential for accessing the second device , The owner credential is determined according to the credential type supported by the second device.
  • the communication unit 601 is further configured to receive security resources required when interacting with a third device sent by a management service, where the third device is an activated terminal device, and the management service includes the AMS and/or the CMS.
  • the processing unit 602 may be a processor or a controller, and the communication unit 601 may be a transceiver, a transceiver circuit, a radio frequency chip, or the like.
  • the method further includes:
  • the processing unit 602 updates the operating status of the second device to the device ready to configure RFPRO status;
  • the communication unit 601 sends a first feedback message to the first device, where the first feedback message is used to indicate that the second device successfully updates data.
  • the first feedback message includes the updated owner UUID and the device persistent UUID.
  • the method before the processing unit 602 updates the operating state of the second device to the RFPRO state, the method further includes:
  • the processing unit 602 determines that the data update is successful .
  • the method further includes:
  • the communication unit 601 sends a second feedback message to the first device, where the second feedback message is used to indicate that the second device fails to update data .
  • the method further includes:
  • the communication unit 601 sends the device persistent UUID stored by the second device to the first device.
  • the method further includes:
  • the communication unit 601 sends a second feedback message to the first device, where the second feedback message is used to indicate that the second device fails to update data.
  • the method before the communication unit 601 sends resource information to the first device, the method further includes:
  • the processing unit 602 generates the resource information when detecting that the operating status of the second device is updated to the OTM or RFOTM ready state of the device.
  • the method before the communication unit 601 sends resource information to the first device, the method further includes:
  • the processing unit 602 generates the resource information when detecting that the second device is in a running state.
  • the processing unit 602 is further configured to delete the resource information when it is detected that the operating state of the second device is updated to the RFNOP state or RESET.
  • the second device involved in the embodiment of the present application may be the second device shown in FIG. 7.
  • the second device shown in FIG. 6 and FIG. 7 may be used to implement the steps performed by the second device in the above-mentioned embodiment, which will not be repeated in this embodiment of the application.
  • the communication unit 1001 sends resource information to the first device, and receives the second owner transfer method and the client-led configuration mode sent by the first device, and the processing unit 1002 communicates with the second device according to the second owner transfer method Perform a DTLS handshake to establish a secure connection.
  • the communication unit 1001 receives the credential information sent by the first device through the secure connection, and receives the security resources required to interact with the third device from the management service, which simplifies the operation process and saves transmission. Overhead.
  • the embodiment of the present application also provides a computer-readable storage medium, wherein the computer-readable storage medium stores a computer program for electronic data exchange, wherein the computer program causes the computer to execute the method as described in the above method embodiment. Part or all of the steps described by a device.
  • the embodiments of the present application also provide a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute the method embodiments described above. Part or all of the steps described in the first device.
  • the computer program product may be a software installation package.
  • the embodiment of the present application also provides a computer-readable storage medium, wherein the computer-readable storage medium stores a computer program for electronic data exchange, wherein the computer program causes the computer to execute the method as described in the above method embodiment. 2. Part or all of the steps described in the device.
  • the embodiments of the present application also provide a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute the method embodiments described above. Part or all of the steps described in the second device.
  • the computer program product may be a software installation package.
  • the steps of the method or algorithm described in the embodiments of the present application may be implemented in a hardware manner, or may be implemented in a manner in which a processor executes software instructions.
  • Software instructions can be composed of corresponding software modules, which can be stored in random access memory (Random Access Memory, RAM), flash memory, read-only memory (Read Only Memory, ROM), and erasable programmable read-only memory ( Erasable Programmable ROM (EPROM), Electrically Erasable Programmable Read-Only Memory (Electrically EPROM, EEPROM), registers, hard disk, mobile hard disk, CD-ROM, or any other form of storage medium known in the art.
  • An exemplary storage medium is coupled to the processor, so that the processor can read information from the storage medium and write information to the storage medium.
  • the storage medium may also be an integral part of the processor.
  • the processor and the storage medium may be located in the ASIC.
  • the ASIC may be located in an access network device, a target network device, or a core network device.
  • the processor and the storage medium may also exist as discrete components in the access network device, the target network device, or the core network device.
  • the functions described in the embodiments of the present application may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software it can be implemented in the form of a computer program product in whole or in part.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • the computer instructions may be transmitted from a website, computer, server, or data center. Transmission to another website, computer, server or data center via wired (such as coaxial cable, optical fiber, Digital Subscriber Line (DSL)) or wireless (such as infrared, wireless, microwave, etc.).
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a digital video disc (Digital Video Disc, DVD)), or a semiconductor medium (for example, a solid state disk (Solid State Disk, SSD)) )Wait.
  • a magnetic medium for example, a floppy disk, a hard disk, a magnetic tape
  • an optical medium for example, a digital video disc (Digital Video Disc, DVD)
  • a semiconductor medium for example, a solid state disk (Solid State Disk, SSD)

Abstract

A device activation method, a terminal device, and a computer storage medium. The method comprises: a first device receives resource information sent by a second device, the resource information comprising a first owner transfer method supported by the second device, and the resource information further comprising at least one of the following: a credential type supported by the second device, a configuration mode supported by the second device, the working state of the second device, and access permission information (S301); the first device sends to the second device a second owner transfer method configured for the second device and a client-led configuration mode (S302); the first device performs a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection (S303); the first device sends credential information to the second device by means of the secure connection (S304). The method can simplify the operation process and reduce transmission overhead.

Description

设备激活方法、终端设备及计算机存储介质Device activation method, terminal device and computer storage medium 技术领域Technical field
本发明涉及通信技术领域,尤其涉及设备激活方法、终端设备及计算机存储介质。The present invention relates to the field of communication technology, and in particular to a device activation method, terminal device and computer storage medium.
背景技术Background technique
在物联网系统中,新增的终端设备在激活之后,才能与已激活的终端设备进行交互。传统的设备激活方法为:配置设备所有权,即合法用户通过激活工具(Onboarding Tool,OBT)使用一种业主转让方法(Owner Transfer Method,OTM)来建立终端设备的所有权。所有权建立后,设置设备到常规操作状态,包括使用OBT配置终端设备以给管理服务授权,以及由管理服务给终端设备设置与其他已激活的终端设备进行交互所需的凭证和访问权限,最终使终端设备能够正常操作,并与已激活的终端设备进行交互。实现设备激活的流程具体可以包括:发现新增的终端设备,执行业主转让方法,建立设备身份,建立业主凭证,将设备分配给管理服务,配置设备管理服务,以及准备设备间交互,导致操作繁琐,增加了传输开销。In the Internet of Things system, the newly added terminal device can interact with the activated terminal device after it is activated. The traditional device activation method is: configure device ownership, that is, a legitimate user uses an Owner Transfer Method (Owner Transfer Method, OTM) to establish the ownership of a terminal device through an activation tool (Onboarding Tool, OBT). After the ownership is established, set the device to the normal operating state, including using OBT to configure the terminal device to authorize the management service, and the management service to set the terminal device with the credentials and access permissions required to interact with other activated terminal devices. The terminal device can operate normally and interact with the activated terminal device. The process of realizing device activation can specifically include: discovering new terminal devices, executing owner transfer methods, establishing device identity, establishing owner credentials, assigning devices to management services, configuring device management services, and preparing for interaction between devices, resulting in cumbersome operations , Increase the transmission overhead.
发明内容Summary of the invention
本申请的实施例提供设备激活方法、终端设备及计算机存储介质,可简化操作流程,节省传输开销。The embodiments of the present application provide a device activation method, terminal device, and computer storage medium, which can simplify operation procedures and save transmission overhead.
第一方面,本申请实施例提供一种设备激活方法,包括:In the first aspect, an embodiment of the present application provides a device activation method, including:
第一设备接收第二设备发送的资源信息,所述资源信息包括所述第二设备所支持的第一业主转让方法,所述资源信息还包括以下至少一种:所述第二设备所支持的凭证类型,所述第二设备所支持的配置模式,所述第二设备的工作状态,以及访问权限信息;The first device receives resource information sent by the second device, where the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: Credential type, configuration mode supported by the second device, working status of the second device, and access authority information;
所述第一设备向所述第二设备发送对所述第二设备配置的第二业主转让方法和客户端主导的配置模式,所述第二业主转让方法为所述第一业主转让方法中的至少一种业主转让方法;The first device sends a second owner transfer method and a client-led configuration mode for the second device configuration to the second device, and the second owner transfer method is the one in the first owner transfer method At least one method of owner transfer;
所述第一设备根据所述第二业主转让方法与所述第二设备进行DTLS握手,以建立安全连接;The first device performs a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection;
所述第一设备通过所述安全连接向所述第二设备发送凭证信息,所述凭证信息包括业主凭证,AMS访问所述第二设备的凭证和CMS访问所述第二设备的凭证,所述业主凭证是根据所述第二设备所支持的凭证类型确定的,以使管理服务向所述第二设备发送所述第二设备与第三设备进行交互时所需的安全资源,所述第三设备为已激活的终端设备,所述管理服务包括所述AMS和/或所述CMS。The first device sends credential information to the second device through the secure connection, and the credential information includes the owner credential, the credential for AMS to access the second device, and the credential for CMS to access the second device, the The owner's credential is determined according to the type of credential supported by the second device, so that the management service sends to the second device the security resources required by the second device to interact with the third device. The device is an activated terminal device, and the management service includes the AMS and/or the CMS.
第二方面,本申请实施例提供一种设备激活方法,包括:In the second aspect, an embodiment of the present application provides a device activation method, including:
第二设备向第一设备发送资源信息,所述资源信息包括所述第二设备所支持的第一业主转让方法,所述资源信息还包括以下至少一种:所述第二设备所支持的凭证类型,所述第二设备所支持的配置模式,所述第二设备的工作状态,以及访问权限信息;The second device sends resource information to the first device, where the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: credentials supported by the second device Type, the configuration mode supported by the second device, the working status of the second device, and access authority information;
所述第二设备接收所述第一设备发送的第二业主转让方法和客户端主导的配置模式,所述第二业主转让方法为所述第一业主转让方法中的至少一种业主转让方法;Receiving, by the second device, a second owner transfer method and a client-led configuration mode sent by the first device, and the second owner transfer method is at least one owner transfer method among the first owner transfer methods;
所述第二设备根据所述第二业主转让方法与所述第一设备进行DTLS握手,以建立安全连接;The second device performs a DTLS handshake with the first device according to the second owner transfer method to establish a secure connection;
所述第二设备接收所述第一设备通过所述安全连接发送的凭证信息,所述凭证信息包括业主凭证,AMS访问所述第二设备的凭证和CMS访问所述第二设备的凭证,所述业主凭证是根据所述第二设备所支持的凭证类型确定的;The second device receives the credential information sent by the first device through the secure connection, the credential information includes the owner credential, the credential for AMS to access the second device, and the credential for CMS to access the second device, so The owner's certificate is determined according to the type of certificate supported by the second device;
所述第二设备接收管理服务发送的与第三设备进行交互时所需的安全资源,所述第三设备为已激活的终端设备,所述管理服务包括所述AMS和/或所述CMS。The second device receives a security resource that is required when interacting with a third device sent by a management service, the third device is an activated terminal device, and the management service includes the AMS and/or the CMS.
第三方面,本申请实施例提供一种第一设备,该第一设备具有实现上述第一方面所述方法的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元。In a third aspect, an embodiment of the present application provides a first device that has a function of implementing the method described in the first aspect. The function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more units corresponding to the above-mentioned functions.
第四方面,本申请实施例提供一种第一设备,该第一设备包括处理器,所述处理器与所述存储器耦合,其中:In a fourth aspect, an embodiment of the present application provides a first device, the first device includes a processor, and the processor is coupled with the memory, wherein:
所述存储器,用于存储指令;The memory is used to store instructions;
所述处理器,用于接收第二设备发送的资源信息,所述资源信息包括所述第二设备所支持的第一业主转让方法,所述资源信息还包括以下至少一种:所述第二设备所支持的凭证类型,所述第二设备所支持的配置模式,所述第二设备的工作状态,以及访问权限信息;向所述第二设备发送对所述第二设备配置的第二业主转让方法和客户端主导的配置模式,所述第二业主转让方法为所述第一业主转让方法中的至少一种业主转让方法;根据所述第二业主转让方法与所述第二设备进行DTLS握手,以建立安全连接;以及通过所述安全连接向所述第二设备发送凭证信息,所述凭证信息包括业主凭证,AMS访问所述第二设备的凭证和CMS访问所述第二设备的凭证,所述业主凭证是根据所述第二设备所支持的凭证类型确定的,以使管理服务向所述第二设备发送所述第二设备与第三设备进行交互时所需的安全资源,所述第三设备为已激活的终端设备,所述管理服务包括所述AMS和/或所述CMS。The processor is configured to receive resource information sent by a second device, where the resource information includes a first owner transfer method supported by the second device, and the resource information further includes at least one of the following: the second The type of credential supported by the device, the configuration mode supported by the second device, the working status of the second device, and access authority information; and the second owner configured to the second device is sent to the second device Transfer method and client-led configuration mode, the second owner transfer method is at least one owner transfer method among the first owner transfer methods; performing DTLS with the second device according to the second owner transfer method Shaking hands to establish a secure connection; and sending credential information to the second device through the secure connection, the credential information including the owner credential, the credential for AMS to access the second device and the credential for CMS to access the second device , The owner's certificate is determined according to the type of certificate supported by the second device, so that the management service sends the second device to the second device the security resources needed when the second device interacts with the third device, so The third device is an activated terminal device, and the management service includes the AMS and/or the CMS.
第五方面,本申请实施例提供一种第二设备,该第二设备具有实现上述第二方面所述方法的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元。In a fifth aspect, an embodiment of the present application provides a second device that has a function of implementing the method described in the second aspect. The function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more units corresponding to the above-mentioned functions.
第六方面,本申请实施例提供一种第二设备,该第二设备包括处理器,所述处理器与所述存储器耦合,其中:In a sixth aspect, an embodiment of the present application provides a second device, the second device includes a processor, and the processor is coupled with the memory, wherein:
所述存储器,用于存储指令;The memory is used to store instructions;
所述处理器,用于向第一设备发送资源信息,所述资源信息包括所述第二设备所支持的第一业主转让方法,所述资源信息还包括以下至少一种:所述第二设备所支持的凭证类型,所述第二设备所支持的配置模式,所述第二设备的工作状态,以及访问权限信息;接收所述第一设备发送的第二业主转让方法和客户端主导的配置模式,所述第二业主转让方法为所述第一业主转让方法中的至少一种业主转让方法;根据所述第二业主转让方法与所述第一设备进行DTLS握手,以建立安全连接;接收所述第一设备通过所述安全连接发送的凭证信息,所述凭证信息包括业主凭证,AMS访问所述第二设备的凭证和CMS访问所述第二设备的凭证,所述业主凭证是根据所述第二设备所支持的凭证类型确定的;以及接收管理服务发送的与第三设备进行交互时所需的安全资源,所述第三设备为已激活的终端设备,所述管理服务包括所述AMS和/或所述CMS。The processor is configured to send resource information to a first device, the resource information includes a first owner transfer method supported by the second device, and the resource information further includes at least one of the following: the second device Supported credential types, configuration modes supported by the second device, working status of the second device, and access authority information; receiving the second owner transfer method and client-led configuration sent by the first device Mode, the second owner transfer method is at least one owner transfer method among the first owner transfer methods; DTLS handshake with the first device is performed according to the second owner transfer method to establish a secure connection; receiving; The credential information sent by the first device via the secure connection, the credential information includes the owner’s credential, the AMS’s credential for accessing the second device and the CMS’s credential for accessing the second device, the owner’s credential is based on The type of credential supported by the second device is determined; and the security resource required to interact with a third device sent by the management service is received. The third device is an activated terminal device, and the management service includes the AMS and/or the CMS.
第七方面,本申请实施例提供了一种计算机存储介质,其中,所述计算机可读存储介质存储有计算机程序或指令,当所述程序或指令被处理器执行时,使所述处理器执行如第一方面所述的设备激活方法。In a seventh aspect, an embodiment of the present application provides a computer storage medium, wherein the computer-readable storage medium stores a computer program or instruction, and when the program or instruction is executed by a processor, the processor executes The device activation method as described in the first aspect.
第八方面,本申请实施例提供了一种计算机程序产品,其中,所述计算机程序产品包括存储了计算机程序的非瞬时性计算机可读存储介质,所述计算机程序可操作来使计算机执行如本申请实施例第一方面所描述的部分或全部步骤。该计算机程序产品可以为一个软 件安装包。In an eighth aspect, the embodiments of the present application provide a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute Part or all of the steps described in the first aspect of the application embodiment. The computer program product may be a software installation package.
第九方面,本申请实施例提供了一种计算机存储介质,其中,所述计算机可读存储介质存储有计算机程序或指令,当所述程序或指令被处理器执行时,使所述处理器执行如第二方面所述的设备激活方法。In a ninth aspect, an embodiment of the present application provides a computer storage medium, wherein the computer-readable storage medium stores a computer program or instruction, and when the program or instruction is executed by a processor, the processor executes The device activation method as described in the second aspect.
第十方面,本申请实施例提供了一种计算机程序产品,其中,所述计算机程序产品包括存储了计算机程序的非瞬时性计算机可读存储介质,所述计算机程序可操作来使计算机执行如本申请实施例第二方面所描述的部分或全部步骤。该计算机程序产品可以为一个软件安装包。In a tenth aspect, an embodiment of the present application provides a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute Part or all of the steps described in the second aspect of the application embodiment. The computer program product may be a software installation package.
可以看出,本申请实施例中第一设备一次性接收第二设备发送的资源信息,资源信息包括第二设备所支持的第一业主转让方法,资源信息还包括以下至少一种:第二设备所支持的凭证类型,第二设备所支持的配置模式,第二设备的工作状态,以及访问权限信息,第一设备一次性向第二设备发送对第二设备配置的第二业主转让方法和客户端主导的配置模式,第一设备根据第二业主转让方法与第二设备进行DTLS握手,以建立安全连接,然后第一设备通过安全连接向第二设备一次性发送业主凭证,AMS访问第二设备的凭证和CMS访问第二设备的凭证,以使管理服务向第二设备发送第二设备与第三设备进行交互时所需的安全资源,可进行批量处理,合并设备激活流程,从而简化操作流程,节省传输开销。It can be seen that in this embodiment of the application, the first device receives the resource information sent by the second device at one time, the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: Supported credential types, configuration modes supported by the second device, working status of the second device, and access authority information. The first device sends to the second device the second owner transfer method and client for the second device configuration at one time In the dominant configuration mode, the first device performs a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection, and then the first device sends the owner's credentials to the second device through the secure connection at a time, and AMS accesses the second device’s The voucher and the voucher for CMS to access the second device, so that the management service can send to the second device the security resources needed when the second device interacts with the third device. Batch processing can be carried out and the device activation process can be merged to simplify the operation process. Save transmission overhead.
附图说明Description of the drawings
下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍。The following will briefly introduce the drawings needed to be used in the description of the embodiments or the prior art.
图1是本申请实施例提供的一种通信系统的架构示意图;FIG. 1 is a schematic diagram of the architecture of a communication system provided by an embodiment of the present application;
图2是本申请实施例提供的一种collection资源的示意图;Figure 2 is a schematic diagram of a collection resource provided by an embodiment of the present application;
图3是本申请实施例提供的一种设备激活方法的流程示例图;FIG. 3 is an example flowchart of a device activation method provided by an embodiment of the present application;
图4是本申请实施例提供的一种第一设备的功能单元组成框图;4 is a block diagram of the functional unit composition of a first device provided by an embodiment of the present application;
图5是本申请实施例提供的一种第一设备的结构示意图;FIG. 5 is a schematic structural diagram of a first device provided by an embodiment of the present application;
图6是本申请实施例提供的一种第二设备的功能单元组成框图;FIG. 6 is a block diagram of a functional unit composition of a second device provided by an embodiment of the present application;
图7是本申请实施例提供的一种第二设备的结构示意图。Fig. 7 is a schematic structural diagram of a second device provided by an embodiment of the present application.
具体实施方式detailed description
下面将结合附图对本申请实施例中的技术方案进行描述。The technical solutions in the embodiments of the present application will be described below in conjunction with the accompanying drawings.
图1示出了本申请涉及的一种通信系统的架构示意图。该通信系统可以包括第一设备101、第二设备102、第三设备103以及管理服务104,第一设备101分别与第二设备102和管理服务104建立通信连接,第二设备102分别与管理服务104和第三设备103建立通信连接。Fig. 1 shows a schematic diagram of the architecture of a communication system involved in the present application. The communication system may include a first device 101, a second device 102, a third device 103, and a management service 104. The first device 101 establishes a communication connection with the second device 102 and the management service 104 respectively, and the second device 102 respectively establishes a communication connection with the management service 104. 104 and the third device 103 establish a communication connection.
其中,第一设备101可以为激活工具(Onboarding Tool,OBT)设备。举例来说,合法用户可以通过OBT设备使用一种业主转移方法(Owner Transfer Method,OTM)来建立设备所有权。设备所有权建立后,可以设置第二设备102到常规操作状态,例如使用OBT设备配置第二设备102以给管理服务104授权。示例性的,第一设备可以为客户端,具体为操作服务端资源的实体。The first device 101 may be an activation tool (Onboarding Tool, OBT) device. For example, a legitimate user can use an Owner Transfer Method (Owner Transfer Method, OTM) through OBT devices to establish device ownership. After the device ownership is established, the second device 102 can be set to a normal operating state, for example, the second device 102 can be configured with an OBT device to authorize the management service 104. Exemplarily, the first device may be a client, specifically an entity that operates server resources.
第二设备102可以为待激活设备。在开放式互连基金会(Open Connectivity Foundation;OCF)所定义的物联网系统中,设备需要激活后才能在网络中操作或与其他已激活设备进行交互,基于此,本申请实施例将需要激活的设备称为待激活设备。示例性的,第二设备可以为服务端。The second device 102 may be a device to be activated. In the Internet of Things system defined by the Open Connectivity Foundation (OCF), devices need to be activated before they can operate in the network or interact with other activated devices. Based on this, the embodiments of this application will need to be activated The device is called the device to be activated. Exemplarily, the second device may be a server.
第三设备103可以为已激活设备。The third device 103 may be an activated device.
管理服务104可以包括访问管理服务(Access Management Service,AMS),安全凭证 管理服务(Credential Management Service,CMS)或设备所有权转让服务(Device Ownership Transfer Service,DOTS)。举例来说,管理服务104可以给第二设备102设置与第三设备103交互所用的凭证和访问权限,最终使第二设备102能够正常操作并与第三设备103交互。The management service 104 may include an access management service (Access Management Service, AMS), a security credential management service (Credential Management Service, CMS), or a device ownership transfer service (Device Ownership Transfer Service, DOTS). For example, the management service 104 can set the credentials and access permissions for the second device 102 to interact with the third device 103, and finally enable the second device 102 to operate normally and interact with the third device 103.
传统的设备激活方法为:发现新增的终端设备,执行业主转让方法,建立设备身份,建立业主凭证,将设备分配给管理服务,配置设备管理服务,以及准备设备间交互,上述操作的执行顺序固定不变,每次只操作一个安全虚拟资源(Security Virtual Resource,SVR),导致交互流程较繁琐,传输开销较大。The traditional device activation method is: discover new terminal devices, execute owner transfer method, establish device identity, establish owner credential, assign device to management service, configure device management service, and prepare for interaction between devices. The execution sequence of the above operations It is fixed, and only one Security Virtual Resource (SVR) is operated at a time, which results in a cumbersome interaction process and high transmission overhead.
而本申请提供一种设备激活方法,第一设备101可以接收第二设备102发送的资源信息,资源信息包括第二设备102所支持的第一业主转让方法,资源信息还包括以下至少一种:第二设备102所支持的凭证类型,第二设备102所支持的配置模式,第二设备102的工作状态,以及访问权限信息;第一设备101向第二设备102发送对第二设备102配置的第二业主转让方法和客户端主导的配置模式,第二业主转让方法为第一业主转让方法中的至少一种业主转让方法;第一设备101根据第二业主转让方法与第二设备102进行数据包传输层安全性协议(Datagram Transport Layer Security,DTLS)握手,以建立安全连接;第一设备101通过安全连接向第二设备102发送凭证信息,凭证信息包括业主凭证,AMS访问第二设备102的凭证和CMS访问第二设备102的凭证,业主凭证是根据第二设备102所支持的凭证类型确定的,以使管理服务104向第二设备102发送第二设备102与第三设备103进行交互时所需的安全资源。The present application provides a device activation method. The first device 101 can receive resource information sent by the second device 102, the resource information includes the first owner transfer method supported by the second device 102, and the resource information further includes at least one of the following: The credential type supported by the second device 102, the configuration mode supported by the second device 102, the working status of the second device 102, and the access authority information; the first device 101 sends to the second device 102 the configuration of the second device 102 The second owner transfer method and the client-led configuration mode, the second owner transfer method is at least one owner transfer method among the first owner transfer methods; the first device 101 performs data with the second device 102 according to the second owner transfer method The packet transport layer security protocol (Datagram Transport Layer Security, DTLS) handshake to establish a secure connection; the first device 101 sends credential information to the second device 102 through the secure connection. The credential information includes the owner’s credential. AMS accesses the second device 102. The credentials and the credentials for the CMS to access the second device 102. The owner's credentials are determined according to the type of credentials supported by the second device 102, so that the management service 104 sends to the second device 102 that the second device 102 interacts with the third device 103 The required security resources.
相对传统的设备激活方法,本申请每次可操作多个SVR,即通过批量处理的方式合并设备激活流程,从而简化操作流程,节省传输开销。Compared with the traditional device activation method, this application can operate multiple SVRs at a time, that is, the device activation process is merged in batch processing, thereby simplifying the operation process and saving transmission overhead.
SVR可以包括以下至少一种:业主转让方法、凭证类型,第二设备102所支持的配置模式,第二设备102的工作状态,访问权限信息,客户端主导的配置模式,业主凭证,AMS访问第二设备102的凭证和CMS访问第二设备102的凭证,以及安全资源等。具体的,SVR可以包括“/oic/sec/doxm”,“/oic/sec/pstat”,“/oic/sec/cred”,“/oic/sec/acl2”等/oic/sec/obd资源。其中“/oic/sec/doxm”资源是一种OCF标准定义的资源,描述了第二设备102支持的所有权转让方法以及当前使用的所有权转让方法等。“/oic/sec/pstat”资源是一种OCF标准定义的资源,描述了第二设备102支持的配置模式类型以及当前配置的配置模式。“/oic/sec/cred”资源是一种OCF标准定义的资源,描述了访问第二设备102所需的凭证信息等。“/oic/sec/acl2”资源是一种OCF标准定义的资源,描述了第二设备102的访问权限信息等。The SVR may include at least one of the following: owner transfer method, voucher type, configuration mode supported by the second device 102, working status of the second device 102, access authority information, client-led configuration mode, owner credential, AMS access section The credentials of the second device 102 and the credentials of the CMS to access the second device 102, as well as security resources, and so on. Specifically, the SVR may include "/oic/sec/doxm", "/oic/sec/pstat", "/oic/sec/cred", "/oic/sec/acl2" and other /oic/sec/obd resources. The "/oic/sec/doxm" resource is a resource defined by the OCF standard, which describes the ownership transfer method supported by the second device 102 and the currently used ownership transfer method. The "/oic/sec/pstat" resource is a resource defined by the OCF standard, which describes the configuration mode type supported by the second device 102 and the currently configured configuration mode. The "/oic/sec/cred" resource is a resource defined by the OCF standard, and describes the credential information required to access the second device 102. The "/oic/sec/acl2" resource is a resource defined by the OCF standard, which describes the access authority information of the second device 102 and so on.
另外,本申请实施例可以通过对Collection资源使用“oic.if.b”接口进行批量处理来完成一次获取或者设置多个SVR,下面对Collection资源进行具体描述。请参见图2,图2是对Collection资源的示意图。Collection资源可以包括OCF Links,OCF Links表示一个或多个link资源的集合,通过Collection资源可以引用多个目标资源或其他Collection资源。以图2为例,一个Collection资源包含设备A(设备标识为light)的开关资源,以及设备B(设备标识为fan)的开关资源,形成了集中的资源组。客户端可以通过访问Collection资源的oic.if.b接口来同时请求多个资源,Collection资源处理者会把请求发送给links中的每一个资源,并收集每个资源返回的响应,集中后统一返回给客户端。In addition, in the embodiment of the present application, it is possible to obtain or set multiple SVRs at one time by using the "oic.if.b" interface to perform batch processing on the Collection resource. The Collection resource is described in detail below. Please refer to Figure 2. Figure 2 is a schematic diagram of Collection resources. Collection resources can include OCF Links. OCF Links represents a collection of one or more link resources. Multiple target resources or other Collection resources can be referenced through Collection resources. Taking Figure 2 as an example, a Collection resource contains the switch resources of device A (device identification is light) and the switch resources of device B (device identification is fan), forming a centralized resource group. The client can request multiple resources at the same time by accessing the oic.if.b interface of the Collection resource. The Collection resource handler will send the request to each resource in the links, and collect the response returned by each resource, and then return it in a unified manner. To the client.
其中,oic.if.b接口指的是用来访问一批资源的一种访问接口。举例来说,第二设备在启动或进入设备准备好OTM状态(RFOTM)时可以增加/oic/sec/obd资源。/oic/sec/obd资源可以包括/oic/sec/doxm资源,/oic/sec/pstat资源,/oic/sec/cred资源,以及/oic/sec/acl2资源等。/oic/sec/doxm资源可以包括第二设备所支持的第一业主转让方法,/oic/sec/pstat资源可以包括第二设备所支持的配置模式,/oic/sec/cred资源可以包括第二设备所支持的凭证类型以及凭证信息等,/oic/sec/acl2资源可以包括访问权限信息等。第一设备可以通过访问Collection资源的oic.if.b接口向第二设备发送资源获取请求,第二设备可以通过Collection资源将资源 获取请求转换成业主转让方法获取请求,配置模式获取请求,凭证类型获取请求以及访问权限获取请求。然后,第二设备可以通过Collection资源将业主转让方法获取请求发送至/oic/sec/doxm资源,从/oic/sec/doxm资源中获取第二设备所支持的第一业主转让方法。第二设备可以通过Collection资源将配置模式获取请求发送至/oic/sec/pstat资源,从/oic/sec/pstat资源中获取第二设备支持的配置模式。第二设备可以通过Collection资源将凭证类型获取请求发送至/oic/sec/cred资源,从/oic/sec/cred资源中获取第二设备所支持的凭证类型。第二设备可以通过Collection资源将访问权限获取请求发送至/oic/sec/acl2资源,从/oic/sec/acl2资源中获取访问权限信息。然后,第二设备可以通过Collection资源将第二设备所支持的第一业主转让方法,第二设备支持的配置模式,第二设备所支持的凭证类型以及访问权限信息打包,生成资源信息。然后,第二设备可以通过Collection资源将资源信息发送给第一设备。Among them, the oic.if.b interface refers to an access interface used to access a batch of resources. For example, the second device may increase the /oic/sec/obd resource when it starts or enters the device ready OTM state (RFOTM). The /oic/sec/obd resource may include the /oic/sec/doxm resource, the /oic/sec/pstat resource, the /oic/sec/cred resource, and the /oic/sec/acl2 resource, etc. The /oic/sec/doxm resource can include the first owner transfer method supported by the second device, the /oic/sec/pstat resource can include the configuration mode supported by the second device, and the /oic/sec/cred resource can include the second The type of credential and credential information supported by the device, the /oic/sec/acl2 resource can include access authority information, etc. The first device can send a resource acquisition request to the second device through the oic.if.b interface that accesses the Collection resource, and the second device can use the Collection resource to convert the resource acquisition request into an owner transfer method acquisition request, configuration mode acquisition request, and voucher type Acquisition request and access permission acquisition request. Then, the second device may send the owner transfer method acquisition request to the /oic/sec/doxm resource through the Collection resource, and obtain the first owner transfer method supported by the second device from the /oic/sec/doxm resource. The second device may send the configuration mode acquisition request to the /oic/sec/pstat resource through the Collection resource, and obtain the configuration mode supported by the second device from the /oic/sec/pstat resource. The second device may send the credential type acquisition request to the /oic/sec/cred resource through the Collection resource, and obtain the credential type supported by the second device from the /oic/sec/cred resource. The second device may send the access permission acquisition request to the /oic/sec/acl2 resource through the Collection resource, and obtain the access permission information from the /oic/sec/acl2 resource. Then, the second device can package the first owner transfer method supported by the second device, the configuration mode supported by the second device, the credential type supported by the second device, and the access authority information through the collection resource to generate resource information. Then, the second device can send the resource information to the first device through the collection resource.
针对上述描述,本申请实施例提出以下实施例,下面结合附图进行详细描述。In view of the foregoing description, the embodiments of the present application propose the following embodiments, which are described in detail below with reference to the accompanying drawings.
基于图1和图2,请参阅图3,图3是本申请实施例提供的一种设备激活方法,该方法包括:Based on FIG. 1 and FIG. 2, please refer to FIG. 3. FIG. 3 is a device activation method provided by an embodiment of the present application, and the method includes:
S301,第二设备向第一设备发送资源信息,资源信息包括第二设备所支持的第一业主转让方法,资源信息还包括以下至少一种:第二设备所支持的凭证类型,第二设备所支持的配置模式,第二设备的工作状态,以及访问权限信息。S301. The second device sends resource information to the first device, the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: a credential type supported by the second device, Supported configuration modes, working status of the second device, and access authority information.
具体实现中,第一设备可以在用户数据报协议(User Datagram Protocol,UDP)单播通道上通过GET方式接收第二设备发送的资源信息。例如,第一设备可以在UDP单播通道上通过GET方式读取/oic/sec/obd?if=oic.if.b,第二设备返回第二设备支持的业主转让方法,第二设备支持的凭证类型,第二设备支持的配置模式,第二设备当前的工作状态,和默认的acl2(“anon-clear”和“auth-crypt”类型的ace2)。数据例如{...,"oxms":[0,1,2,...],"owned":FALSE,"sct":[1,2,4,8,16,32,...],"dos":{"s":1,"p":FALSE},"sm":0bXXXX,X1XX,...}。In a specific implementation, the first device may receive the resource information sent by the second device in a GET manner on a user datagram protocol (User Datagram Protocol, UDP) unicast channel. For example, the first device can read /oic/sec/obd through GET on the UDP unicast channel? if=oic.if.b, the second device returns the owner transfer method supported by the second device, the credential type supported by the second device, the configuration mode supported by the second device, the current working status of the second device, and the default acl2( "Anon-clear" and "auth-crypt" type ace2). Data such as {...,"oxms":[0,1,2,...],"owned":FALSE,"sct":[1,2,4,8,16,32,...] ,"dos":{"s":1,"p":FALSE},"sm":0bXXXX,X1XX,...}.
其中,第二设备支持的业主转让方法可以包括以下至少一种:简易(Just-works)方法,个人识别密码(Personal Identification Number,PIN)方法,证书方法,以及制造商自定义方法。Wherein, the owner transfer method supported by the second device may include at least one of the following: a simple (Just-works) method, a personal identification number (Personal Identification Number, PIN) method, a certificate method, and a manufacturer-defined method.
其中,第二设备支持的凭证类型可以包括对称凭证,和/或非对称凭证。例如,对称凭证可以包括成对的对称秘钥或组对称秘钥等。非对称凭证可以包括证书或原始非对称秘钥等。Wherein, the voucher type supported by the second device may include symmetric voucher and/or asymmetric voucher. For example, a symmetric certificate may include a pair of symmetric keys or a group of symmetric keys. Asymmetric credentials can include certificates or original asymmetric keys.
其中,第二设备支持的配置模式可以包括以下至少一种:客户端主导的配置模式,服务端主导并利用单个配置服务,以及服务端主导并利用多个配置服务。Wherein, the configuration mode supported by the second device may include at least one of the following: a client-led configuration mode, a server-led and utilized a single configuration service, and a server-led and utilized multiple configuration services.
设备配置可以是客户端主导的或服务端主导的。客户端主导的配置依赖于客户端设备来确定什么、怎样以及何时服务端资源应该被实例化和更新。服务端主导的配置依赖于服务端在条件规定时寻求配置。服务端主导的配置依赖于对“/oic/sec/doxm”、“/oic/sec/cred”和“/oic/sec/acl2”资源中“rowneruuid”属性的配置,以分别表明可信的DOTS、CMS与AMS服务的设备ID。进一步地,“/oic/sec/cred”在业主转让时应被配置必要的凭证,以与适当的支撑服务建立安全连接。Device configuration can be client-led or server-led. The client-led configuration relies on the client device to determine what, how, and when server-side resources should be instantiated and updated. The server-led configuration depends on the server seeking configuration when the conditions are specified. The server-led configuration relies on the configuration of the "rowneruuid" attribute in the "/oic/sec/doxm", "/oic/sec/cred" and "/oic/sec/acl2" resources to indicate the trusted DOTS respectively , CMS and AMS service device ID. Further, "/oic/sec/cred" should be configured with necessary credentials when the owner transfers it to establish a secure connection with appropriate supporting services.
配置状态资源“/oic/sec/pstat”用于使第二设备能够执行自我主导的配置。第二设备知道其当前配置状态和目标配置对象。若当前和目标状态之间存在差异时,第二设备应查询“/oic/sec/cred”资源的“rowneruuid”属性以发现是否存在任何合适的配置服务。如果被设置为主动,第二设备应请求配置。“/oic/sec/pstat”资源的om属性将指定在这些情况下的预期设备行为。The configuration status resource "/oic/sec/pstat" is used to enable the second device to perform self-directed configuration. The second device knows its current configuration state and target configuration object. If there is a difference between the current and target states, the second device should query the "rowneruuid" attribute of the "/oic/sec/cred" resource to find out whether there is any suitable configuration service. If it is set to active, the second device should request configuration. The om attribute of the "/oic/sec/pstat" resource will specify the expected device behavior under these conditions.
本申请实施例中,自我主导的配置使设备能够以更强的自主性运行,以最小化对中央 配置机构的依赖,避免其成为网络中的单点故障。In the embodiments of the present application, the self-directed configuration enables the device to operate with greater autonomy, so as to minimize the dependence on the central configuration organization and prevent it from becoming a single point of failure in the network.
其中,第二设备当前的工作状态可以为RFOTM、设备准备好配置状态(RFPRO)、设备准备好常规操作状态(RFNOP)、设备重置状态(RESET)或设备软重置状态(SRESET)。The current working state of the second device may be RFOTM, device ready for configuration state (RFPRO), device ready for normal operation state (RFNOP), device reset state (RESET), or device soft reset state (SRESET).
平台制造商应该提供强制平台重置的物理机制(例如按钮)。承载在同一个平台上的所有设备在平台重置置位时将第二设备状态转换为RESET。当设备状态是RESET时,所有SVR内容被删除,并重置为制造商的默认值。默认的制造商设备状态为RESET。在成功执行RESET之后,SRM通过将“/oic/sec/dostype”资源的“s”属性设置为RFOTM来转换到RFOTM状态。The platform manufacturer should provide a physical mechanism (such as a button) to force the platform to reset. All devices carried on the same platform change the state of the second device to RESET when the platform is reset. When the device status is RESET, all SVR content is deleted and reset to the manufacturer's default value. The default manufacturer's device status is RESET. After successfully executing the RESET, the SRM transitions to the RFOTM state by setting the "s" attribute of the "/oic/sec/dostype" resource to RFOTM.
处于RFOTM状态的第二设备指的是已准备好进行所有权转让的可操作设备。当设备状态是RFOTM时,在OTM成功之前,将“/oic/sec/doxm”资源的deviceuuid属性设置为临时非重复的值。在OTM成功之前,“/oic/sec/dostype”资源的“s”属性对于未经身份认证的请求方来说是只读的。OTM成功后,“/oic/sec/dostype”资源的“s”属性对于已授权请求方来说是可读写的。协商的设备业主凭证(Owner Credential,OC)用于创建经过身份认证的会话,DOTS将通过该会话指示设备状态转换到RFPRO。若无法创建经过身份认证的会话,则所有权转让会话应断开,安全资源管理(Secure Resource Manager,SRM)会将设备状态设置回RESET状态。所有权转让会话不应超过60秒,否则SRM会声明OTM失败,断开连接并转换到RESET状态(/pstat.dos.s=RESET)。DOTS将“/doxm”资源的“devowneruuid”属性变更为非零UUID值。在RFOTM状态下,DOTS(或其他授权客户端)可多次变更改值。其他设备状态下改制无法改变,除非设备状态由RESET又回到RFOTM。DOTS在RFOTM状态下或需要执行其他配置任务。完成后,DOTS变更“/doxm”资源的“owned”属性为“true”。The second device in the RFOTM state refers to an operable device that is ready for ownership transfer. When the device status is RFOTM, before OTM is successful, set the deviceuuid attribute of the "/oic/sec/doxm" resource to a temporary non-repeated value. Before OTM is successful, the "s" attribute of the "/oic/sec/dostype" resource is read-only for unauthenticated requesters. After OTM is successful, the "s" attribute of the "/oic/sec/dostype" resource is readable and writable for the authorized requester. The negotiated device owner credential (Owner Credential, OC) is used to create an authenticated session, and the DOTS will instruct the device state to switch to RFPRO through the session. If an authenticated session cannot be created, the ownership transfer session should be disconnected, and the Secure Resource Manager (SRM) will set the device state back to the RESET state. The ownership transfer session should not exceed 60 seconds, otherwise SRM will declare OTM failure, disconnect and switch to the RESET state (/pstat.dos.s=RESET). DOTS changes the "devowneruuid" attribute of the "/doxm" resource to a non-zero UUID value. In the RFOTM state, DOTS (or other authorized clients) can change the value multiple times. The state of other equipment cannot be changed unless the state of the equipment returns to RFOTM from RESET. DOTS may need to perform other configuration tasks in the RFOTM state. After completion, DOTS changes the "owned" attribute of the "/doxm" resource to "true".
RFPRO指的是第二设备准备好进行其他配置。当设备状态是RFPRO时,“/oic/sec/dostype”资源的“s”属性对未授权的请求方是只读的,对已授权请求方是可读写的。授权客户端可以根据RFNOP正常操作的需要配置SVR。授权客户端可以对SVR执行一致性检查,以确定哪些应重新配置。未成功配置SVR可能会触发状态更改为RESET。例如,如果设备已经从SRESET转换,但一致性检查继续失败。授权客户端设置/pstat.dos.s=RFNOP。RFPRO means that the second device is ready for other configurations. When the device status is RFPRO, the "s" attribute of the "/oic/sec/dostype" resource is read-only for unauthorized requesters and readable and writable for authorized requesters. Authorized clients can configure SVR according to the requirements of the normal operation of RFNOP. Authorized clients can perform a consistency check on the SVR to determine which should be reconfigured. Unsuccessful configuration of SVR may trigger the status change to RESET. For example, if the device has been converted from SRESET, but the consistency check continues to fail. Authorize the client to set /pstat.dos.s=RFNOP.
RFNOP指的是为可操作设备的第二设备的最终状态。当设备状态是RFNOP时,“/pstat.dos.s”属性对未经授权的请求方是只读的,对已授权请求方是可读写的。采用正常访问流程,可以访问SVRs和核心资源。授权客户端可以将设备转为RFPRO。只有设备主人可以将设备转换到SRESET或RESET。RFNOP refers to the final state of the second device that is an operable device. When the device status is RFNOP, the "/pstat.dos.s" attribute is read-only for unauthorized requesters and readable and writable for authorized requesters. With normal access procedures, SVRs and core resources can be accessed. The authorized client can convert the device to RFPRO. Only the device owner can switch the device to SRESET or RESET.
SRESET指的是第二设备不可操作,但仍由当前业主拥有。当设备状态是SRESET时,SVR完整性不能保证,但是有必要访问某些SVR属性。这些包括“/oic/sec/doxm”资源的devowneruuid属性,“/oic/sec/cred”资源的“creds”:[{…,{“subjectuuid”:<devowneruuid>},…}]属性和“/oic/sec/pstat”资源的“/oic/sec/dostype”资源的“s”属性。识别和授权设备主人的证书足以重新创建最低所需的“/cred”和“/doxm”资源,以使设备主人能够控制SRESET。如果SRM无法建立这些资源,那么它将转换到RESET状态。授权客户端执行SVR一致性检查。它可以根据需要提供SVR,以确保它们可以在RFPRO的持续配置中或在RFNOP正常运行时可用。授权的设备主人可以通过将RFPRO或RFNOP写入“/pstat”资源的“dos.s”属性来避免进入RESET和RFOTM状态。SVR上的ACLs被认为是无效的。只有设备主人权限才可访问。SRM声明客户端主导的工作模式(例如/pstat.om=CLIENT_DIRECTED)。SRESET means that the second device is inoperable but still owned by the current owner. When the device status is SRESET, SVR integrity cannot be guaranteed, but it is necessary to access certain SVR attributes. These include the devowneruuid attribute of the "/oic/sec/doxm" resource, the "creds": [{...,{"subjectuuid":<devowneruuid>},...}] attribute of the "/oic/sec/cred" resource and the "/ The "s" attribute of the "/oic/sec/dostype" resource of the "oic/sec/pstat" resource. The certificate for identifying and authorizing the device owner is sufficient to recreate the minimum required "/cred" and "/doxm" resources so that the device owner can control SRESET. If SRM cannot establish these resources, it will transition to the RESET state. Authorize the client to perform SVR consistency checks. It can provide SVRs as needed to ensure that they are available in the continuous configuration of RFPRO or when RFNOP is operating normally. Authorized device owners can avoid entering the RESET and RFOTM states by writing RFPRO or RFNOP into the "dos.s" attribute of the "/pstat" resource. ACLs on SVR are considered invalid. Only the device owner can access it. SRM declares the client-led work mode (for example, /pstat.om=CLIENT_DIRECTED).
在该实施例中,第一设备一次性获取到传统的设备激活方式中需要多次获取的资源,可简化操作流程,节省传输开销。In this embodiment, the first device acquires the resources that need to be acquired multiple times in the traditional device activation method at one time, which simplifies the operation process and saves transmission overhead.
在一种实现方式中,第二设备向第一设备发送资源信息之前,第一设备可以发现待激活设备,即第二设备。在第一设备发现第二设备之后,接收第二设备发送的资源信息。In an implementation manner, before the second device sends the resource information to the first device, the first device may discover the device to be activated, that is, the second device. After the first device discovers the second device, it receives the resource information sent by the second device.
在一种实现方式中,第二设备向第一设备发送资源信息之前,第二设备在检测到第二 设备的运行状态更新为RFOTM状态时,可以生成该资源信息。In an implementation manner, before the second device sends the resource information to the first device, the second device may generate the resource information when detecting that the operating state of the second device is updated to the RFOTM state.
在该实施例中,第二设备进入RFOTM状态时自动增加/oic/sec/obd资源。该/oic/sec/obd资源为Collection资源(即“oic.wk.col”类型),引用如下目标资源(例如/oic/sec/doxm,/oic/sec/pstat,/oic/sec/cred,/oic/sec/acl2),该/oic/sec/obd资源支持“oic.if.b”接口。本申请实施例可通过对/oic/sec/obd资源进行“oic.if.b”接口操作来实现设备激活流程。In this embodiment, the /oic/sec/obd resource is automatically added when the second device enters the RFOTM state. The /oic/sec/obd resource is a Collection resource (ie "oic.wk.col" type), which refers to the following target resources (for example, /oic/sec/doxm, /oic/sec/pstat, /oic/sec/cred, /oic/sec/acl2), the /oic/sec/obd resource supports the "oic.if.b" interface. In this embodiment of the application, the device activation process can be implemented by performing an "oic.if.b" interface operation on the /oic/sec/obd resource.
在一种实现方式中,第二设备向第一设备发送资源信息之前,第二设备在检测到第二设备处于运行状态时,生成资源信息。In an implementation manner, before the second device sends the resource information to the first device, the second device generates the resource information when detecting that the second device is in a running state.
在该实施例中,第二设备在启动时就自动生成/oic/sec/obd资源。In this embodiment, the second device automatically generates the /oic/sec/obd resource when it is started.
在一种实现方式中,第二设备在检测到第二设备的运行状态更新为RFNOP状态或RESET状态时,删除该资源信息。In an implementation manner, the second device deletes the resource information when detecting that the operating state of the second device is updated to the RFNOP state or the RESET state.
在该实施例中,第二设备进入RFNOP或RESET状态时,可以自动删除/oic/sec/obd资源。In this embodiment, when the second device enters the RFNOP or RESET state, the /oic/sec/obd resource can be automatically deleted.
在一种实现方式中,第二设备生成资源信息之后,可以不删除该资源信息。例如,第二设备生成/oic/sec/obd资源之后,该/oic/sec/obd资源可以不删除,而是将该资源的业主通用唯一识别码(Universally Unique Identifier,UUID)设置为设备业主UUID。In an implementation manner, after the resource information is generated by the second device, the resource information may not be deleted. For example, after the second device generates the /oic/sec/obd resource, the /oic/sec/obd resource may not be deleted, but the owner's Universally Unique Identifier (UUID) of the resource may be set as the device owner's UUID .
S302,第一设备向第二设备发送对第二设备配置的第二业主转让方法和客户端主导的配置模式。S302: The first device sends to the second device the second owner transfer method for the configuration of the second device and the client-led configuration mode.
其中,第二业主转让方法为第一业主转让方法中的至少一种业主转让方法。Wherein, the second owner transfer method is at least one owner transfer method among the first owner transfer methods.
在一种实现方式中,第一设备可以在UDP单播通道上通过POST方式向第二设备发送对第二设备配置的第二业主转让方法和客户端主导的配置模式。In an implementation manner, the first device may send the second owner transfer method for the configuration of the second device and the client-led configuration mode to the second device in a POST manner on the UDP unicast channel.
在该实施例中,第一设备可以在UDP单播通道上通过POST方式写入/oic/sec/obd?if=oic.if.b,告诉第二设备使用oic.sec.oxm.jw返回所有者转让方法和客户端主导的配置模式。若第二设备成功接收到第一设备发送的第二业主转让方法和客户端主导的配置模式,那么第二设备可以向第一设备发送成功指示消息。若第二设备未成功接收到第一设备发送的第二业主转让方法和客户端主导的配置模式,那么第二设备可以向第一设备发送失败指示消息,例如{“msg”:”The model is not supported”,”ec”:2101}。In this embodiment, the first device can write /oic/sec/obd? via POST on the UDP unicast channel. if=oic.if.b, tell the second device to use oic.sec.oxm.jw to return the owner transfer method and the client-led configuration mode. If the second device successfully receives the second owner transfer method and the client-led configuration mode sent by the first device, the second device may send a success indication message to the first device. If the second device does not successfully receive the second owner transfer method and the client-led configuration mode sent by the first device, the second device can send a failure indication message to the first device, such as {"msg":"The model is not supported","ec":2101}.
在该实施例中,第一设备一次性向第二设备发送传统的设备激活方式中需要多次发送的资源,可简化操作流程,节省传输开销。In this embodiment, the first device sends the resources that need to be sent multiple times in the traditional device activation method to the second device at one time, which can simplify the operation process and save transmission overhead.
具体实现中,第一设备对第二设备配置第二业主转让方法,可实现建立设备所有权。建立设备所有权的目标是允许拥有或购买第二设备的合法用户成为第二设备的主人和管理员。此过程包括使用OBT在第二设备与第一设备间建立所有权信息,并控制和管理第二设备。OBT是运行在第二设备或第一设备的逻辑实体,如网管控制台、设备管理工具、网络监控工具、网络配置工具、家庭网关或家庭自动化控制器。运行OBT的物理设备应满足一些安全加固要求,对所存储的凭证采用完整性和机密性保护。建立所有权的工具或服务端往往也被称为OBT。此处使用“业主转让”是由于即使对一个新设备来说,其所有权也是从制造商转让到购买者。In specific implementation, the first device configures the second owner transfer method for the second device, which can realize the establishment of device ownership. The goal of establishing device ownership is to allow legitimate users who own or purchase the second device to become the owner and administrator of the second device. This process includes using OBT to establish ownership information between the second device and the first device, and to control and manage the second device. OBT is a logical entity running on the second device or the first device, such as a network management console, device management tool, network monitoring tool, network configuration tool, home gateway or home automation controller. The physical device running OBT should meet some security reinforcement requirements, and use integrity and confidentiality protection for the stored credentials. The tool or server that establishes ownership is often referred to as OBT. The "owner transfer" is used here because even for a new device, its ownership is transferred from the manufacturer to the purchaser.
S303,第一设备根据第二业主转让方法与第二设备进行DTLS握手,以建立安全连接。S303: The first device performs a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection.
具体实现中,第一设备可以执行Just-Works OTM进行DTLS握手,以建立安全连接。In specific implementation, the first device can execute Just-Works OTM for DTLS handshake to establish a secure connection.
S304,第一设备通过安全连接向第二设备发送凭证信息。S304: The first device sends the credential information to the second device through the secure connection.
其中,凭证信息可以包括业主凭证,AMS访问第二设备的凭证和CMS访问第二设备的凭证,业主凭证是根据第二设备所支持的凭证类型确定的。The credential information may include the owner's credential, the credential for the AMS to access the second device and the credential for the CMS to access the second device, and the owner's credential is determined according to the type of credential supported by the second device.
在一种实现方式中,第一设备可以在UDP单播通道上通过POST方式和安全连接向第二设备发送凭证信息。In an implementation manner, the first device may send the credential information to the second device through a POST method and a secure connection on a UDP unicast channel.
在该实施例中,第一设备可以在UDP单播通道上通过POST方式写入/oic/sec/obd?if=oic.if.b,第一设备在DTLS安全连接上设置第二设备的业主UUID,资源业主 UUID,设备持久UUID,业主凭证,CMS凭证和AMS凭证。业主凭证可以由第一设备或其他机构签名的证书、用户网络访问信息、共享密钥等组成。In this embodiment, the first device can write /oic/sec/obd? via POST on the UDP unicast channel. if=oic.if.b, the first device sets the owner UUID of the second device on the DTLS secure connection, resource owner UUID, device persistent UUID, owner certificate, CMS certificate and AMS certificate. The owner's certificate may be composed of a certificate signed by the first device or other organization, user network access information, shared key, and so on.
在该实施例中,第一设备一次性向第二设备发送传统的设备激活方式中需要多次发送的资源,可简化操作流程,节省传输开销。In this embodiment, the first device sends the resources that need to be sent multiple times in the traditional device activation method to the second device at one time, which can simplify the operation process and save transmission overhead.
在一种实现方式中,第二设备接收第一设备通过安全连接发送的凭证信息之后,若第二设备根据凭证信息更新数据成功,则第二设备可以将第二设备的运行状态更新为RFPRO状态,第二设备向第一设备发送第一反馈消息,第一反馈消息用于指示第二设备更新数据成功。In one implementation, after the second device receives the credential information sent by the first device through the secure connection, if the second device successfully updates the data according to the credential information, the second device can update the operating status of the second device to the RFPRO state , The second device sends a first feedback message to the first device, and the first feedback message is used to indicate that the second device successfully updates the data.
其中,第一反馈消息可以包括更新后的业主UUID和设备持久UUID。Wherein, the first feedback message may include the updated owner UUID and the device persistent UUID.
举例来说,第二设备若更新数据成功,则自动修改doxm为”owned=true”,并进入RFPRO状态,然后第二设备向第一设备发送第一反馈消息,第一反馈消息用于指示第二设备更新数据成功。第二设备若更新数据失败,则第二设备向第一设备发送失败指示消息。For example, if the second device successfully updates the data, it will automatically modify doxm to "owned=true" and enter the RFPRO state, and then the second device will send a first feedback message to the first device. The first feedback message is used to indicate the first device. Second, the device successfully updated the data. If the second device fails to update the data, the second device sends a failure indication message to the first device.
在一种实现方式中,第二设备将第二设备的运行状态更新为RFPRO状态之前,当第二设备对业主UUID、资源业主UUID、业主凭证、CMS访问所述第二设备的凭证以及AMS访问第二设备的凭证均更新成功时,第二设备确定更新数据成功。In one implementation, before the second device updates the operating status of the second device to the RFPRO state, when the second device accesses the owner UUID, resource owner UUID, owner's credentials, CMS's credentials for accessing the second device, and AMS access When the credentials of the second device are all updated successfully, the second device determines that the data update is successful.
在一种实现方式中,第二设备接收第一设备通过安全连接发送的凭证信息之后,若第二设备根据凭证信息更新数据失败,则第二设备向第一设备发送第二反馈消息,第二反馈消息用于指示第二设备更新数据失败。In one implementation, after the second device receives the credential information sent by the first device through the secure connection, if the second device fails to update data according to the credential information, the second device sends a second feedback message to the first device, and the second device sends a second feedback message to the first device. The feedback message is used to indicate that the second device fails to update the data.
举例来说,若第二设备更新业主UUID失败,或更新资源业主UUID失败,或更新业主凭证失败,或更新CMS凭证失败,或更新AMS凭证失败,则第二设备向第一设备发送第二反馈消息,例如{“msg”:“Internal Server operation error”,“ec”:2000}。For example, if the second device fails to update the owner UUID, or fails to update the resource owner UUID, or fails to update the owner credential, or fails to update the CMS credential, or fails to update the AMS credential, the second device sends a second feedback to the first device Message, such as {"msg":"Internal Server operation error", "ec":2000}.
在一种实现方式中,第二设备接收第一设备通过安全连接发送的凭证信息之后,若第二设备不支持更新设备持久UUID,则第二设备向第一设备发送第二设备存储的设备持久UUID。In one implementation, after the second device receives the credential information sent by the first device through the secure connection, if the second device does not support updating the device persistent UUID, the second device sends the device persistent UUID stored in the second device to the first device. UUID.
在一种实现方式中,第二设备接收第一设备通过安全连接发送的凭证信息之后,若第二设备对设备持久UUID更新失败,则第二设备向第一设备发送第二反馈消息,第二反馈消息用于指示第二设备更新数据失败。In an implementation manner, after the second device receives the credential information sent by the first device through the secure connection, if the second device fails to update the device's persistent UUID, the second device sends a second feedback message to the first device, and the second device sends a second feedback message to the first device. The feedback message is used to indicate that the second device fails to update the data.
举例来说,若在第二设备支持更新设备持久UUID的情况下,第二设备对设备持久UUID更新失败,则第二设备向第一设备发送第二反馈消息,例如{“msg”:”Invalid parameter”,”ec”:1100}。For example, if the second device supports updating the device's persistent UUID and the second device fails to update the device's persistent UUID, the second device sends a second feedback message to the first device, such as {"msg":"Invalid parameter","ec":1100}.
S305,管理服务向第二设备发送第二设备与第三设备进行交互时所需的安全资源。S305: The management service sends to the second device the security resources required when the second device interacts with the third device.
在一种实现方式中,管理服务向第二设备发送第二设备与第三设备进行交互时所需的安全资源之后,第一设备可以关闭该DTLS连接。In an implementation manner, after the management service sends the security resources required by the second device to interact with the third device to the second device, the first device may close the DTLS connection.
在本申请实施例中,第一设备一次性接收第二设备发送的资源信息,资源信息包括第二设备所支持的第一业主转让方法,资源信息还包括以下至少一种:第二设备所支持的凭证类型,第二设备所支持的配置模式,第二设备的工作状态,以及访问权限信息,第一设备一次性向第二设备发送对第二设备配置的第二业主转让方法和客户端主导的配置模式,第一设备根据第二业主转让方法与第二设备进行DTLS握手,以建立安全连接,然后第一设备通过安全连接向第二设备一次性发送业主凭证,AMS访问第二设备的凭证和CMS访问第二设备的凭证,以使管理服务向第二设备发送第二设备与第三设备进行交互时所需的安全资源,可进行批量处理,合并设备激活流程,从而简化操作流程,节省传输开销。In the embodiment of the present application, the first device receives the resource information sent by the second device at one time, the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: The type of credential, the configuration mode supported by the second device, the working status of the second device, and the access authority information, the first device sends to the second device the second owner transfer method and client-led configuration of the second device at one time In configuration mode, the first device performs a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection, and then the first device sends the owner's credentials to the second device through the secure connection at one time, and the AMS accesses the credentials of the second device and CMS accesses the credentials of the second device, so that the management service can send the security resources required by the second device to the third device when the second device interacts with the third device. Batch processing can be carried out and the device activation process can be merged, thereby simplifying the operation process and saving transmission Overhead.
上述主要从各个网元之间交互的角度对本申请实施例的方案进行了介绍。可以理解的是,终端设备为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。 本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。The foregoing mainly introduces the solution of the embodiment of the present application from the perspective of interaction between various network elements. It can be understood that, in order to implement the above-mentioned functions, the terminal device includes a hardware structure and/or software module corresponding to each function. Those skilled in the art should easily realize that in combination with the units and algorithm steps of the examples described in the embodiments disclosed herein, the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
本申请实施例可以根据上述方法示例对终端设备进行功能单元的划分,例如,可以对应各个功能划分各个功能单元,也可以将两个或两个以上的功能集成在一个处理单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件程序模块的形式实现。需要说明的是,本申请实施例中对单元的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。The embodiment of the present application may divide the terminal device into functional units according to the foregoing method examples. For example, each functional unit may be divided corresponding to each function, or two or more functions may be integrated into one processing unit. The above-mentioned integrated unit can be realized in the form of hardware or software program module. It should be noted that the division of units in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
在采用集成的单元的情况下,图4示出了上述实施例中所涉及的第一设备的一种可能的功能单元组成框图,第一设备包括:In the case of an integrated unit, FIG. 4 shows a block diagram of a possible functional unit composition of the first device involved in the foregoing embodiment, and the first device includes:
通信单元401,用于接收第二设备发送的资源信息,所述资源信息包括所述第二设备所支持的第一业主转让方法,所述资源信息还包括以下至少一种:所述第二设备所支持的凭证类型,所述第二设备所支持的配置模式,所述第二设备的工作状态,以及访问权限信息。The communication unit 401 is configured to receive resource information sent by a second device, where the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: the second device Supported credential types, configuration modes supported by the second device, working status of the second device, and access authority information.
通信单元401,还用于向所述第二设备发送对所述第二设备配置的第二业主转让方法和客户端主导的配置模式,所述第二业主转让方法为所述第一业主转让方法中的至少一种业主转让方法。The communication unit 401 is further configured to send a second owner transfer method configured to the second device and a client-led configuration mode to the second device, and the second owner transfer method is the first owner transfer method At least one of the owner’s transfer methods.
处理单元402,用于根据所述第二业主转让方法与所述第二设备进行DTLS握手,以建立安全连接。The processing unit 402 is configured to perform a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection.
通信单元401,还用于通过所述安全连接向所述第二设备发送凭证信息,所述凭证信息包括业主凭证,AMS访问所述第二设备的凭证和CMS访问所述第二设备的凭证,所述业主凭证是根据所述第二设备所支持的凭证类型确定的,以使管理服务向所述第二设备发送所述第二设备与第三设备进行交互时所需的安全资源,所述第三设备为已激活的终端设备,所述管理服务包括所述AMS和/或所述CMS。The communication unit 401 is further configured to send credential information to the second device through the secure connection, the credential information including the owner's credential, the credential for AMS to access the second device and the credential for CMS to access the second device, The owner credential is determined according to the credential type supported by the second device, so that the management service sends to the second device the security resources required by the second device to interact with the third device. The third device is an activated terminal device, and the management service includes the AMS and/or the CMS.
其中,处理单元402可以是处理器或控制器,通信单元401可以是收发器、收发电路、射频芯片等。The processing unit 402 may be a processor or a controller, and the communication unit 401 may be a transceiver, a transceiver circuit, a radio frequency chip, or the like.
在一种实现方式中,所述通信单元401接收第二设备发送的资源信息,包括:In an implementation manner, the receiving of the resource information sent by the second device by the communication unit 401 includes:
在UDP单播通道上通过GET方式接收所述第二设备发送的资源信息。The resource information sent by the second device is received in a GET manner on the UDP unicast channel.
在一种实现方式中,所述通信单元401向所述第二设备发送对所述第二设备配置的第二业主转让方法和客户端主导的配置模式,包括:In an implementation manner, the communication unit 401 sending the second owner transfer method for the second device configuration and the client-led configuration mode to the second device includes:
在UDP单播通道上通过POST方式向所述第二设备发送对所述第二设备配置的第二业主转让方法和客户端主导的配置模式。The second owner transfer method and the client-led configuration mode of the configuration of the second device are sent to the second device through the POST method on the UDP unicast channel.
在一种实现方式中,所述通信单元401通过所述安全连接向所述第二设备发送凭证信息,包括:In an implementation manner, the communication unit 401 sending credential information to the second device through the secure connection includes:
在UDP单播通道上通过POST方式和所述安全连接向所述第二设备发送凭证信息。The credential information is sent to the second device through the POST mode and the secure connection on the UDP unicast channel.
当处理单元402为处理器,通信单元401为通信接口时,本申请实施例所涉及的终端设备可以为图5所示的第一设备。When the processing unit 402 is a processor and the communication unit 401 is a communication interface, the terminal device involved in the embodiment of the present application may be the first device shown in FIG. 5.
需要说明的是,图4和图5所示的第一设备可以用于实施上述实施例中第一设备所执行的步骤,本申请实施例不再赘述。It should be noted that the first device shown in FIG. 4 and FIG. 5 may be used to implement the steps performed by the first device in the above-mentioned embodiment, which will not be repeated in this embodiment of the application.
本申请实施例中,通信单元1001接收第二设备发送的资源信息,以及向第二设备发送对第二设备配置的第二业主转让方法和客户端主导的配置模式,处理单元1002根据第二业主转让方法与第二设备进行DTLS握手,以建立安全连接,通信单元1001通过安全连接向 第二设备发送凭证信息,以使管理服务向第二设备发送第二设备与第三设备进行交互时所需的安全资源,可简化操作流程,节省传输开销。In the embodiment of the present application, the communication unit 1001 receives the resource information sent by the second device, and sends the second owner transfer method and the client-led configuration mode for the second device configuration to the second device, and the processing unit 1002 according to the second owner The transfer method performs a DTLS handshake with the second device to establish a secure connection. The communication unit 1001 sends credential information to the second device through the secure connection, so that the management service sends the second device to the second device when the second device interacts with the third device. Safe resources can simplify the operation process and save transmission overhead.
在采用集成的单元的情况下,图6示出了上述实施例中所涉及的第二设备的一种可能的功能单元组成框图,第一设备包括:In the case of an integrated unit, FIG. 6 shows a block diagram of a possible functional unit composition of the second device involved in the foregoing embodiment, and the first device includes:
通信单元601,用于向第一设备发送资源信息,所述资源信息包括所述第二设备所支持的第一业主转让方法,所述资源信息还包括以下至少一种:所述第二设备所支持的凭证类型,所述第二设备所支持的配置模式,所述第二设备的工作状态,以及访问权限信息。The communication unit 601 is configured to send resource information to a first device, where the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: Supported credential types, configuration modes supported by the second device, working status of the second device, and access authority information.
通信单元601,还用于接收所述第一设备发送的第二业主转让方法和客户端主导的配置模式,所述第二业主转让方法为所述第一业主转让方法中的至少一种业主转让方法。The communication unit 601 is further configured to receive a second owner transfer method and a client-led configuration mode sent by the first device, and the second owner transfer method is at least one owner transfer method among the first owner transfer methods method.
处理单元602,用于根据所述第二业主转让方法与所述第一设备进行DTLS握手,以建立安全连接。The processing unit 602 is configured to perform a DTLS handshake with the first device according to the second owner transfer method to establish a secure connection.
通信单元601,还用于接收所述第一设备通过所述安全连接发送的凭证信息,所述凭证信息包括业主凭证,AMS访问所述第二设备的凭证和CMS访问所述第二设备的凭证,所述业主凭证是根据所述第二设备所支持的凭证类型确定的。The communication unit 601 is further configured to receive credential information sent by the first device via the secure connection, the credential information includes owner credential, AMS credential for accessing the second device, and CMS credential for accessing the second device , The owner credential is determined according to the credential type supported by the second device.
通信单元601,还用于接收管理服务发送的与第三设备进行交互时所需的安全资源,所述第三设备为已激活的终端设备,所述管理服务包括所述AMS和/或所述CMS。The communication unit 601 is further configured to receive security resources required when interacting with a third device sent by a management service, where the third device is an activated terminal device, and the management service includes the AMS and/or the CMS.
其中,处理单元602可以是处理器或控制器,通信单元601可以是收发器、收发电路、射频芯片等。The processing unit 602 may be a processor or a controller, and the communication unit 601 may be a transceiver, a transceiver circuit, a radio frequency chip, or the like.
在一种实现方式中,所述通信单元601接收所述第一设备通过所述安全连接发送的凭证信息之后,还包括:In an implementation manner, after the communication unit 601 receives the credential information sent by the first device through the secure connection, the method further includes:
若所述第二设备根据所述凭证信息更新数据成功,则所述处理单元602将所述第二设备的运行状态更新为设备准备好配置RFPRO状态;If the second device successfully updates the data according to the credential information, the processing unit 602 updates the operating status of the second device to the device ready to configure RFPRO status;
所述通信单元601向所述第一设备发送第一反馈消息,所述第一反馈消息用于指示所述第二设备更新数据成功。The communication unit 601 sends a first feedback message to the first device, where the first feedback message is used to indicate that the second device successfully updates data.
在一种实现方式中,第一反馈消息包括更新后的业主UUID和设备持久UUID。In an implementation manner, the first feedback message includes the updated owner UUID and the device persistent UUID.
在一种实现方式中,所述处理单元602将所述第二设备的运行状态更新为RFPRO状态之前,还包括:In an implementation manner, before the processing unit 602 updates the operating state of the second device to the RFPRO state, the method further includes:
当所述第二设备对业主UUID、资源业主UUID、业主凭证、CMS访问所述第二设备的凭证以及AMS访问所述第二设备的凭证均更新成功时,所述处理单元602确定更新数据成功。When the second device successfully updates the owner UUID, resource owner UUID, owner credential, the credential for CMS to access the second device, and the credential for AMS to access the second device, the processing unit 602 determines that the data update is successful .
在一种实现方式中,所述通信单元601接收所述第一设备通过所述安全连接发送的凭证信息之后,还包括:In an implementation manner, after the communication unit 601 receives the credential information sent by the first device through the secure connection, the method further includes:
若所述第二设备根据所述凭证信息更新数据失败,则所述通信单元601向所述第一设备发送第二反馈消息,所述第二反馈消息用于指示所述第二设备更新数据失败。If the second device fails to update data according to the credential information, the communication unit 601 sends a second feedback message to the first device, where the second feedback message is used to indicate that the second device fails to update data .
在一种实现方式中,所述通信单元601接收所述第一设备通过所述安全连接发送的凭证信息之后,还包括:In an implementation manner, after the communication unit 601 receives the credential information sent by the first device through the secure connection, the method further includes:
若所述第二设备不支持更新设备持久UUID,则所述通信单元601向所述第一设备发送所述第二设备存储的设备持久UUID。If the second device does not support updating the device persistent UUID, the communication unit 601 sends the device persistent UUID stored by the second device to the first device.
在一种实现方式中,所述通信单元601接收所述第一设备通过所述安全连接发送的凭证信息之后,还包括:In an implementation manner, after the communication unit 601 receives the credential information sent by the first device through the secure connection, the method further includes:
若所述第二设备对设备持久UUID更新失败,则所述通信单元601向所述第一设备发送第二反馈消息,所述第二反馈消息用于指示所述第二设备更新数据失败。If the second device-to-device persistent UUID update fails, the communication unit 601 sends a second feedback message to the first device, where the second feedback message is used to indicate that the second device fails to update data.
在一种实现方式中,所述通信单元601向第一设备发送资源信息之前,还包括:In an implementation manner, before the communication unit 601 sends resource information to the first device, the method further includes:
所述处理单元602在检测到所述第二设备的运行状态更新为设备准备好OTM RFOTM状态时,生成所述资源信息。The processing unit 602 generates the resource information when detecting that the operating status of the second device is updated to the OTM or RFOTM ready state of the device.
在一种实现方式中,所述通信单元601向第一设备发送资源信息之前,还包括:In an implementation manner, before the communication unit 601 sends resource information to the first device, the method further includes:
所述处理单元602在检测到所述第二设备处于运行状态时,生成所述资源信息。The processing unit 602 generates the resource information when detecting that the second device is in a running state.
所述处理单元602,还用于在检测到所述第二设备的运行状态更新为RFNOP状态或RESET时,删除所述资源信息。The processing unit 602 is further configured to delete the resource information when it is detected that the operating state of the second device is updated to the RFNOP state or RESET.
当处理单元602为处理器,通信单元601为通信接口时,本申请实施例所涉及的第二设备可以为图7所示的第二设备。When the processing unit 602 is a processor and the communication unit 601 is a communication interface, the second device involved in the embodiment of the present application may be the second device shown in FIG. 7.
需要说明的是,图6和图7所示的第二设备可以用于实施上述实施例中第二设备所执行的步骤,本申请实施例不再赘述。It should be noted that the second device shown in FIG. 6 and FIG. 7 may be used to implement the steps performed by the second device in the above-mentioned embodiment, which will not be repeated in this embodiment of the application.
本申请实施例中,通信单元1001向第一设备发送资源信息,以及接收第一设备发送的第二业主转让方法和客户端主导的配置模式,处理单元1002根据第二业主转让方法与第二设备进行DTLS握手,以建立安全连接,通信单元1001接收第一设备通过安全连接发送的凭证信息,并接收管理服务发送的与第三设备进行交互时所需的安全资源,可简化操作流程,节省传输开销。In the embodiment of the present application, the communication unit 1001 sends resource information to the first device, and receives the second owner transfer method and the client-led configuration mode sent by the first device, and the processing unit 1002 communicates with the second device according to the second owner transfer method Perform a DTLS handshake to establish a secure connection. The communication unit 1001 receives the credential information sent by the first device through the secure connection, and receives the security resources required to interact with the third device from the management service, which simplifies the operation process and saves transmission. Overhead.
本申请实施例还提供了一种计算机可读存储介质,其中,所述计算机可读存储介质存储用于电子数据交换的计算机程序,其中,所述计算机程序使得计算机执行如上述方法实施例中第一设备所描述的部分或全部步骤。The embodiment of the present application also provides a computer-readable storage medium, wherein the computer-readable storage medium stores a computer program for electronic data exchange, wherein the computer program causes the computer to execute the method as described in the above method embodiment. Part or all of the steps described by a device.
本申请实施例还提供了一种计算机程序产品,其中,所述计算机程序产品包括存储了计算机程序的非瞬时性计算机可读存储介质,所述计算机程序可操作来使计算机执行如上述方法实施例中第一设备所描述的部分或全部步骤。该计算机程序产品可以为一个软件安装包。The embodiments of the present application also provide a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute the method embodiments described above. Part or all of the steps described in the first device. The computer program product may be a software installation package.
本申请实施例还提供了一种计算机可读存储介质,其中,所述计算机可读存储介质存储用于电子数据交换的计算机程序,其中,所述计算机程序使得计算机执行如上述方法实施例中第二设备所描述的部分或全部步骤。The embodiment of the present application also provides a computer-readable storage medium, wherein the computer-readable storage medium stores a computer program for electronic data exchange, wherein the computer program causes the computer to execute the method as described in the above method embodiment. 2. Part or all of the steps described in the device.
本申请实施例还提供了一种计算机程序产品,其中,所述计算机程序产品包括存储了计算机程序的非瞬时性计算机可读存储介质,所述计算机程序可操作来使计算机执行如上述方法实施例中第二设备所描述的部分或全部步骤。该计算机程序产品可以为一个软件安装包。The embodiments of the present application also provide a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute the method embodiments described above. Part or all of the steps described in the second device. The computer program product may be a software installation package.
本申请实施例所描述的方法或者算法的步骤可以以硬件的方式来实现,也可以是由处理器执行软件指令的方式来实现。软件指令可以由相应的软件模块组成,软件模块可以被存放于随机存取存储器(Random Access Memory,RAM)、闪存、只读存储器(Read Only Memory,ROM)、可擦除可编程只读存储器(Erasable Programmable ROM,EPROM)、电可擦可编程只读存储器(Electrically EPROM,EEPROM)、寄存器、硬盘、移动硬盘、只读光盘(CD-ROM)或者本领域熟知的任何其它形式的存储介质中。一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于ASIC中。另外,该ASIC可以位于接入网设备、目标网络设备或核心网设备中。当然,处理器和存储介质也可以作为分立组件存在于接入网设备、目标网络设备或核心网设备中。The steps of the method or algorithm described in the embodiments of the present application may be implemented in a hardware manner, or may be implemented in a manner in which a processor executes software instructions. Software instructions can be composed of corresponding software modules, which can be stored in random access memory (Random Access Memory, RAM), flash memory, read-only memory (Read Only Memory, ROM), and erasable programmable read-only memory ( Erasable Programmable ROM (EPROM), Electrically Erasable Programmable Read-Only Memory (Electrically EPROM, EEPROM), registers, hard disk, mobile hard disk, CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor, so that the processor can read information from the storage medium and write information to the storage medium. Of course, the storage medium may also be an integral part of the processor. The processor and the storage medium may be located in the ASIC. In addition, the ASIC may be located in an access network device, a target network device, or a core network device. Of course, the processor and the storage medium may also exist as discrete components in the access network device, the target network device, or the core network device.
本领域技术人员应该可以意识到,在上述一个或多个示例中,本申请实施例所描述的功能可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或 者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(Digital Subscriber Line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,数字视频光盘(Digital Video Disc,DVD))、或者半导体介质(例如,固态硬盘(Solid State Disk,SSD))等。Those skilled in the art should be aware that, in one or more of the foregoing examples, the functions described in the embodiments of the present application may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented by software, it can be implemented in the form of a computer program product in whole or in part. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center. Transmission to another website, computer, server or data center via wired (such as coaxial cable, optical fiber, Digital Subscriber Line (DSL)) or wireless (such as infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a digital video disc (Digital Video Disc, DVD)), or a semiconductor medium (for example, a solid state disk (Solid State Disk, SSD)) )Wait.
以上所述的具体实施方式,对本申请实施例的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本申请实施例的具体实施方式而已,并不用于限定本申请实施例的保护范围,凡在本申请实施例的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本申请实施例的保护范围之内。The specific implementations described above further describe the purpose, technical solutions, and beneficial effects of the embodiments of the application in detail. It should be understood that the foregoing descriptions are only specific implementations of the embodiments of the application, and are not used for To limit the protection scope of the embodiments of the application, any modification, equivalent replacement, improvement, etc. made on the basis of the technical solutions of the embodiments of the application shall be included in the protection scope of the embodiments of the application.

Claims (20)

  1. 一种设备激活方法,其特征在于,包括:A device activation method, characterized in that it includes:
    第一设备接收第二设备发送的资源信息,所述资源信息包括所述第二设备所支持的第一业主转让方法,所述资源信息还包括以下至少一种:所述第二设备所支持的凭证类型,所述第二设备所支持的配置模式,所述第二设备的工作状态,以及访问权限信息;The first device receives resource information sent by the second device, where the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: Credential type, configuration mode supported by the second device, working status of the second device, and access authority information;
    所述第一设备向所述第二设备发送对所述第二设备配置的第二业主转让方法和客户端主导的配置模式,所述第二业主转让方法为所述第一业主转让方法中的至少一种业主转让方法;The first device sends a second owner transfer method and a client-led configuration mode for the second device configuration to the second device, and the second owner transfer method is the one in the first owner transfer method At least one method of owner transfer;
    所述第一设备根据所述第二业主转让方法与所述第二设备进行数据包传输层安全性协议DTLS握手,以建立安全连接;The first device performs a data packet transport layer security protocol DTLS handshake with the second device according to the second owner transfer method to establish a secure connection;
    所述第一设备通过所述安全连接向所述第二设备发送凭证信息,所述凭证信息包括业主凭证,访问管理服务AMS访问所述第二设备的凭证和安全凭证管理服务CMS访问所述第二设备的凭证,所述业主凭证是根据所述第二设备所支持的凭证类型确定的,以使管理服务向所述第二设备发送所述第二设备与第三设备进行交互时所需的安全资源,所述第三设备为已激活的终端设备,所述管理服务包括所述AMS和/或所述CMS。The first device sends credential information to the second device through the secure connection, the credential information includes the owner credential, the credential for the access management service AMS to access the second device, and the security credential management service CMS accesses the second device. The certificate of the second device, the owner certificate is determined according to the certificate type supported by the second device, so that the management service sends the second device to the second device when the second device interacts with the third device A security resource, the third device is an activated terminal device, and the management service includes the AMS and/or the CMS.
  2. 如权利要求1所述的方法,其特征在于,所述第一设备接收第二设备发送的资源信息,包括:The method according to claim 1, wherein the receiving, by the first device, the resource information sent by the second device, comprises:
    所述第一设备在用户数据报协议UDP单播通道上通过GET方式接收所述第二设备发送的资源信息。The first device receives the resource information sent by the second device in a GET manner on a user datagram protocol UDP unicast channel.
  3. 如权利要求1所述的方法,其特征在于,所述第一设备向所述第二设备发送对所述第二设备配置的第二业主转让方法和客户端主导的配置模式,包括:The method according to claim 1, wherein the sending, by the first device to the second device, a second owner transfer method for configuration of the second device and a client-led configuration mode comprises:
    所述第一设备在UDP单播通道上通过POST方式向所述第二设备发送对所述第二设备配置的第二业主转让方法和客户端主导的配置模式。The first device sends the second owner transfer method and the client-led configuration mode for the second device configuration to the second device in a POST manner on the UDP unicast channel.
  4. 如权利要求1所述的方法,其特征在于,所述第一设备通过所述安全连接向所述第二设备发送凭证信息,包括:The method according to claim 1, wherein the first device sending credential information to the second device through the secure connection comprises:
    所述第一设备在UDP单播通道上通过POST方式和所述安全连接向所述第二设备发送凭证信息。The first device sends the credential information to the second device through the POST method and the secure connection on the UDP unicast channel.
  5. 一种设备激活方法,其特征在于,包括:A device activation method, characterized in that it includes:
    第二设备向第一设备发送资源信息,所述资源信息包括所述第二设备所支持的第一业主转让方法,所述资源信息还包括以下至少一种:所述第二设备所支持的凭证类型,所述第二设备所支持的配置模式,所述第二设备的工作状态,以及访问权限信息;The second device sends resource information to the first device, where the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: credentials supported by the second device Type, the configuration mode supported by the second device, the working status of the second device, and access authority information;
    所述第二设备接收所述第一设备发送的第二业主转让方法和客户端主导的配置模式,所述第二业主转让方法为所述第一业主转让方法中的至少一种业主转让方法;Receiving, by the second device, a second owner transfer method and a client-led configuration mode sent by the first device, and the second owner transfer method is at least one owner transfer method among the first owner transfer methods;
    所述第二设备根据所述第二业主转让方法与所述第一设备进行数据包传输层安全性协议DTLS握手,以建立安全连接;The second device performs a data packet transport layer security protocol DTLS handshake with the first device according to the second owner transfer method to establish a secure connection;
    所述第二设备接收所述第一设备通过所述安全连接发送的凭证信息,所述凭证信息包括业主凭证,访问管理服务AMS访问所述第二设备的凭证和安全凭证管理服务CMS访问所述第二设备的凭证,所述业主凭证是根据所述第二设备所支持的凭证类型确定的;The second device receives the credential information sent by the first device through the secure connection, the credential information includes the owner credential, the credential for the access management service AMS to access the second device, and the security credential management service CMS accesses the credential The certificate of the second device, where the owner certificate is determined according to the certificate type supported by the second device;
    所述第二设备接收管理服务发送的与第三设备进行交互时所需的安全资源,所述第三设备为已激活的终端设备,所述管理服务包括所述AMS和/或所述CMS。The second device receives a security resource that is required when interacting with a third device sent by a management service, the third device is an activated terminal device, and the management service includes the AMS and/or the CMS.
  6. 如权利要求5所述的方法,其特征在于,所述第二设备接收所述第一设备通过所述安全连接发送的凭证信息之后,还包括:The method according to claim 5, wherein after the second device receives the credential information sent by the first device through the secure connection, the method further comprises:
    若所述第二设备根据所述凭证信息更新数据成功,则所述第二设备将所述第二设备的运行状态更新为设备准备好配置RFPRO状态;If the second device successfully updates the data according to the credential information, the second device updates the operating state of the second device to the device ready to configure RFPRO state;
    所述第二设备向所述第一设备发送第一反馈消息,所述第一反馈消息用于指示所述第二设备更新数据成功。The second device sends a first feedback message to the first device, where the first feedback message is used to indicate that the second device successfully updates data.
  7. 如权利要求6所述的方法,其特征在于,所述第一反馈消息包括更新后的业主通用唯一识别码UUID和设备持久UUID。7. The method according to claim 6, wherein the first feedback message includes the updated owner's universal unique identification code UUID and the device persistent UUID.
  8. 如权利要求6所述的方法,其特征在于,所述第二设备将所述第二设备的运行状态更新为RFPRO状态之前,还包括:The method according to claim 6, wherein before the second device updates the operating state of the second device to the RFPRO state, the method further comprises:
    当所述第二设备对业主UUID、资源业主UUID、业主凭证、CMS访问所述第二设备的凭证以及AMS访问所述第二设备的凭证均更新成功时,所述第二设备确定更新数据成功。When the second device successfully updates the owner's UUID, resource owner's UUID, owner's credential, CMS's credential for accessing the second device, and AMS's credential for accessing the second device, the second device determines that the data update is successful .
  9. 如权利要求5所述的方法,其特征在于,所述第二设备接收所述第一设备通过所述安全连接发送的凭证信息之后,还包括:The method according to claim 5, wherein after the second device receives the credential information sent by the first device through the secure connection, the method further comprises:
    若所述第二设备根据所述凭证信息更新数据失败,则所述第二设备向所述第一设备发送第二反馈消息,所述第二反馈消息用于指示所述第二设备更新数据失败。If the second device fails to update data according to the credential information, the second device sends a second feedback message to the first device, where the second feedback message is used to indicate that the second device fails to update data .
  10. 如权利要求5所述的方法,其特征在于,所述第二设备接收所述第一设备通过所述安全连接发送的凭证信息之后,还包括:The method according to claim 5, wherein after the second device receives the credential information sent by the first device through the secure connection, the method further comprises:
    若所述第二设备不支持更新设备持久UUID,则所述第二设备向所述第一设备发送所述第二设备存储的设备持久UUID。If the second device does not support updating the device persistent UUID, the second device sends the device persistent UUID stored by the second device to the first device.
  11. 如权利要求5所述的方法,其特征在于,所述第二设备接收所述第一设备通过所述安全连接发送的凭证信息之后,还包括:The method according to claim 5, wherein after the second device receives the credential information sent by the first device through the secure connection, the method further comprises:
    若所述第二设备对设备持久UUID更新失败,则所述第二设备向所述第一设备发送第二反馈消息,所述第二反馈消息用于指示所述第二设备更新数据失败。If the second device-to-device persistent UUID update fails, the second device sends a second feedback message to the first device, where the second feedback message is used to indicate that the second device fails to update data.
  12. 如权利要求5所述的方法,其特征在于,所述第二设备向第一设备发送资源信息之前,还包括:The method according to claim 5, wherein before the second device sends the resource information to the first device, the method further comprises:
    所述第二设备在检测到所述第二设备的运行状态更新为设备准备好业主转移方法RFOTM状态时,生成所述资源信息。The second device generates the resource information when detecting that the operating state of the second device is updated to the device ready for the owner transfer method RFOTM state.
  13. 如权利要求5所述的方法,其特征在于,所述第二设备向第一设备发送资源信息之前,还包括:The method according to claim 5, wherein before the second device sends the resource information to the first device, the method further comprises:
    所述第二设备在检测到所述第二设备处于运行状态时,生成所述资源信息。The second device generates the resource information when detecting that the second device is in a running state.
  14. 如权利要求5所述的方法,其特征在于,所述方法还包括:The method of claim 5, wherein the method further comprises:
    所述第二设备在检测到所述第二设备的运行状态更新为设备准备好常规操作RFNOP状态或设备重置状态RESET时,删除所述资源信息。The second device deletes the resource information when detecting that the operating state of the second device is updated to the device ready for normal operation RFNOP state or device reset state RESET.
  15. 一种第一设备,其特征在于,所述第一设备包括用于实现如权1-4任一项所述的设备激活方法的单元。A first device, characterized in that the first device includes a unit for implementing the device activation method according to any one of claims 1-4.
  16. 一种第一设备,其特征在于,所述第一设备包括处理器和存储器,所述处理器与所述存储器耦合,其特征在于,A first device, characterized in that the first device includes a processor and a memory, the processor is coupled with the memory, and is characterized in that:
    所述存储器,用于存储指令;The memory is used to store instructions;
    所述处理器,用于接收第二设备发送的资源信息,所述资源信息包括所述第二设备所支持的第一业主转让方法,所述资源信息还包括以下至少一种:所述第二设备所支持的凭证类型,所述第二设备所支持的配置模式,所述第二设备的工作状态,以及访问权限信息;向所述第二设备发送对所述第二设备配置的第二业主转让方法和客户端主导的配置模式,所述第二业主转让方法为所述第一业主转让方法中的至少一种业主转让方法;根据所述第二业主转让方法与所述第二设备进行数据包传输层安全性协议DTLS握手,以建立安全连接;以及通过所述安全连接向所述第二设备发送凭证信息,所述凭证信息包括业主凭证,访问管理服务AMS访问所述第二设备的凭证和安全凭证管理服务CMS访问所述第二设备的凭证,所述业主凭证是根据所述第二设备所支持的凭证类型确定的,以使管理服务向所述第二设备发送所述第二设备与第三设备进行交互时所需的安全资源,所述第三设备为已激活的终端设备,所述管理服务包括所述AMS和/或所述CMS。The processor is configured to receive resource information sent by a second device, where the resource information includes a first owner transfer method supported by the second device, and the resource information further includes at least one of the following: the second The type of credential supported by the device, the configuration mode supported by the second device, the working status of the second device, and access authority information; and the second owner configured to the second device is sent to the second device Transfer method and client-led configuration mode, the second owner transfer method is at least one owner transfer method among the first owner transfer methods; and data is performed with the second device according to the second owner transfer method The packet transport layer security protocol DTLS handshake to establish a secure connection; and the credential information is sent to the second device through the secure connection, the credential information includes the owner's credential, and the credential for the access management service AMS to access the second device And the security credential management service CMS to access the credential of the second device, the owner credential is determined according to the credential type supported by the second device, so that the management service sends the second device to the second device A security resource required when interacting with a third device, the third device is an activated terminal device, and the management service includes the AMS and/or the CMS.
  17. 一种第二设备,其特征在于,所述第二设备包括用于实现如权5-14任一项所述的设备激活方法的单元。A second device, characterized in that the second device includes a unit for implementing the device activation method according to any one of claims 5-14.
  18. 一种第二设备,其特征在于,所述第二设备包括处理器和存储器,所述处理器与所述存储器耦合,其特征在于,A second device, characterized in that, the second device includes a processor and a memory, and the processor is coupled with the memory, and is characterized in that:
    所述存储器,用于存储指令;The memory is used to store instructions;
    所述处理器,用于向第一设备发送资源信息,所述资源信息包括所述第二设备所支持的第一业主转让方法,所述资源信息还包括以下至少一种:所述第二设备所支持的凭证类型,所述第二设备所支持的配置模式,所述第二设备的工作状态,以及访问权限信息;接收所述第一设备发送的第二业主转让方法和客户端主导的配置模式,所述第二业主转让方法为所述第一业主转让方法中的至少一种业主转让方法;根据所述第二业主转让方法与所述第一设备进行数据包传输层安全性协议DTLS握手,以建立安全连接;接收所述第一设备通过所述安全连接发送的凭证信息,所述凭证信息包括业主凭证,访问管理服务AMS访问所述第二设备的凭证和安全凭证管理服务CMS访问所述第二设备的凭证,所述业主凭证是根据所述第二设备所支持的凭证类型确定的;以及接收管理服务发送的与第三设备进行交互时所需的安全资源,所述第三设备为已激活的终端设备,所述管理服务包括所述AMS和/或所述CMS。The processor is configured to send resource information to a first device, the resource information includes a first owner transfer method supported by the second device, and the resource information further includes at least one of the following: the second device Supported credential types, configuration modes supported by the second device, working status of the second device, and access authority information; receiving the second owner transfer method and client-led configuration sent by the first device Mode, the second owner transfer method is at least one owner transfer method among the first owner transfer methods; the data packet transport layer security protocol DTLS handshake is performed with the first device according to the second owner transfer method , To establish a secure connection; receiving the credential information sent by the first device through the secure connection, the credential information including the owner credential, the credential for the access management service AMS to access the second device, and the credential management service CMS access to the security credential management service The credentials of the second device, the owner's credentials are determined according to the type of credentials supported by the second device; and the security resources required to interact with the third device sent by the management service are received, the third device For an activated terminal device, the management service includes the AMS and/or the CMS.
  19. 一种计算机存储介质,其特征在于,所述计算机存储介质存储有计算机程序或指令,当所述程序或指令被处理器执行时,使所述处理器执行如权利要求1-4中任一项所述的设备激活方法。A computer storage medium, wherein the computer storage medium stores a computer program or instruction, and when the program or instruction is executed by a processor, the processor executes any one of claims 1-4 The described device activation method.
  20. 一种计算机存储介质,其特征在于,所述计算机存储介质存储有计算机程序或指令,当所述程序或指令被处理器执行时,使所述处理器执行如权利要求5-14中任一项所述的设备激活方法。A computer storage medium, wherein the computer storage medium stores a computer program or instruction, and when the program or instruction is executed by a processor, the processor executes any one of claims 5-14 The described device activation method.
PCT/CN2019/105784 2019-09-12 2019-09-12 Device activation method, terminal device, and computer storage medium WO2021046822A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201980095274.4A CN113647075B (en) 2019-09-12 2019-09-12 Device activation method, terminal device and computer storage medium
PCT/CN2019/105784 WO2021046822A1 (en) 2019-09-12 2019-09-12 Device activation method, terminal device, and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/105784 WO2021046822A1 (en) 2019-09-12 2019-09-12 Device activation method, terminal device, and computer storage medium

Publications (1)

Publication Number Publication Date
WO2021046822A1 true WO2021046822A1 (en) 2021-03-18

Family

ID=74867004

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/105784 WO2021046822A1 (en) 2019-09-12 2019-09-12 Device activation method, terminal device, and computer storage medium

Country Status (2)

Country Link
CN (1) CN113647075B (en)
WO (1) WO2021046822A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104144152A (en) * 2013-05-10 2014-11-12 中国电信股份有限公司 Authorization method and system for third-party resource provider
CN104580316A (en) * 2013-10-24 2015-04-29 深圳市国信互联科技有限公司 Software authorization management method and software authorization management system
CN104883674A (en) * 2014-02-28 2015-09-02 华为终端有限公司 Profile relating management method and apparatus
CN105187409A (en) * 2015-08-18 2015-12-23 杭州古北电子科技有限公司 Equipment authorizing system and authorizing method thereof
US20170195457A1 (en) * 2015-12-30 2017-07-06 Amazon Technologies, Inc. Service authorization handshake
CN108696868A (en) * 2017-03-01 2018-10-23 西安西电捷通无线网络通信股份有限公司 The processing method of credential information for network connection, device and apply APP

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101955976B1 (en) * 2011-08-25 2019-03-08 엘지전자 주식회사 Activation of limited user interface capability device
EP2981148B1 (en) * 2014-06-24 2020-02-26 Huawei Technologies Co., Ltd. Device management method, apparatus and system
US20160366183A1 (en) * 2015-06-09 2016-12-15 Ned M. Smith System, Apparatus And Method For Access Control List Processing In A Constrained Environment
CN110235424B (en) * 2017-01-20 2022-03-08 三星电子株式会社 Apparatus and method for providing and managing security information in a communication system
US20190139017A1 (en) * 2017-11-03 2019-05-09 Sita Ypenburg B.V. Systems and methods for interactions between ticket holders and self service functions

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104144152A (en) * 2013-05-10 2014-11-12 中国电信股份有限公司 Authorization method and system for third-party resource provider
CN104580316A (en) * 2013-10-24 2015-04-29 深圳市国信互联科技有限公司 Software authorization management method and software authorization management system
CN104883674A (en) * 2014-02-28 2015-09-02 华为终端有限公司 Profile relating management method and apparatus
CN105187409A (en) * 2015-08-18 2015-12-23 杭州古北电子科技有限公司 Equipment authorizing system and authorizing method thereof
US20170195457A1 (en) * 2015-12-30 2017-07-06 Amazon Technologies, Inc. Service authorization handshake
CN108696868A (en) * 2017-03-01 2018-10-23 西安西电捷通无线网络通信股份有限公司 The processing method of credential information for network connection, device and apply APP

Also Published As

Publication number Publication date
CN113647075B (en) 2023-04-04
CN113647075A (en) 2021-11-12

Similar Documents

Publication Publication Date Title
US7716721B2 (en) Method and apparatus for re-authentication of a computing device using cached state
US7194763B2 (en) Method and apparatus for determining authentication capabilities
KR101086576B1 (en) System and method for automatic negotiation of a security protocol
EP2941855B1 (en) Authenticating a wireless dockee to a wireless docking service
JP2008060692A (en) Management computer, computer system, and switch
JP2002359631A (en) Method and system for controlling access to network resources based on connection security
WO2023011016A1 (en) Internet of things device binding method, apparatus and system, and cloud server and storage medium
WO2010003354A1 (en) An authentication server and a control method for the mobile communication terminal accessing the virtual private network
WO2006058493A1 (en) A method and system for realizing the domain authentication and network authority authentication
WO2021196913A1 (en) Terminal parameter updating protection method and communication device
WO2021046822A1 (en) Device activation method, terminal device, and computer storage medium
JP4881672B2 (en) Communication device and communication control program
KR20050122343A (en) Network integrated management system
CN113014565B (en) Zero trust architecture for realizing port scanning prevention and service port access method and equipment
WO2023005649A1 (en) Device control permission setting method and apparatus, and computer device and storage medium
KR20070078212A (en) Multimode access authentication method for public wireless lan service
WO2021134562A1 (en) Configuration device replacement method and apparatus, device, and storage medium
US20030182398A1 (en) Method of establishing a logical association between connections
JP2006345302A (en) Gateway device and program
KR100429395B1 (en) Duplication method of AAA system using pre-established transport layer security association
JP2014154112A (en) Communication data relay device and program
WO2023202412A1 (en) Communication method and apparatus
JP5577976B2 (en) Network relay device
US20220286855A1 (en) Subscription information processing method and apparatus, and device
US20220159040A1 (en) Methods, systems, and devices for assigning policies in networking systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19945061

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19945061

Country of ref document: EP

Kind code of ref document: A1