WO2021046822A1 - Procédé d'activation de dispositif, dispositif terminal et support de stockage informatique - Google Patents

Procédé d'activation de dispositif, dispositif terminal et support de stockage informatique Download PDF

Info

Publication number
WO2021046822A1
WO2021046822A1 PCT/CN2019/105784 CN2019105784W WO2021046822A1 WO 2021046822 A1 WO2021046822 A1 WO 2021046822A1 CN 2019105784 W CN2019105784 W CN 2019105784W WO 2021046822 A1 WO2021046822 A1 WO 2021046822A1
Authority
WO
WIPO (PCT)
Prior art keywords
credential
owner
transfer method
resource
supported
Prior art date
Application number
PCT/CN2019/105784
Other languages
English (en)
Chinese (zh)
Inventor
杨宁
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to CN201980095274.4A priority Critical patent/CN113647075B/zh
Priority to PCT/CN2019/105784 priority patent/WO2021046822A1/fr
Publication of WO2021046822A1 publication Critical patent/WO2021046822A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to the field of communication technology, and in particular to a device activation method, terminal device and computer storage medium.
  • the newly added terminal device can interact with the activated terminal device after it is activated.
  • the traditional device activation method is: configure device ownership, that is, a legitimate user uses an Owner Transfer Method (Owner Transfer Method, OTM) to establish the ownership of a terminal device through an activation tool (Onboarding Tool, OBT). After the ownership is established, set the device to the normal operating state, including using OBT to configure the terminal device to authorize the management service, and the management service to set the terminal device with the credentials and access permissions required to interact with other activated terminal devices.
  • OTM Owner Transfer Method
  • OBT Onboarding Tool
  • the terminal device can operate normally and interact with the activated terminal device.
  • the process of realizing device activation can specifically include: discovering new terminal devices, executing owner transfer methods, establishing device identity, establishing owner credentials, assigning devices to management services, configuring device management services, and preparing for interaction between devices, resulting in cumbersome operations , Increase the transmission overhead.
  • the embodiments of the present application provide a device activation method, terminal device, and computer storage medium, which can simplify operation procedures and save transmission overhead.
  • an embodiment of the present application provides a device activation method, including:
  • the first device receives resource information sent by the second device, where the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: Credential type, configuration mode supported by the second device, working status of the second device, and access authority information;
  • the first device sends a second owner transfer method and a client-led configuration mode for the second device configuration to the second device, and the second owner transfer method is the one in the first owner transfer method At least one method of owner transfer;
  • the first device performs a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection
  • the first device sends credential information to the second device through the secure connection, and the credential information includes the owner credential, the credential for AMS to access the second device, and the credential for CMS to access the second device, the The owner's credential is determined according to the type of credential supported by the second device, so that the management service sends to the second device the security resources required by the second device to interact with the third device.
  • the device is an activated terminal device, and the management service includes the AMS and/or the CMS.
  • an embodiment of the present application provides a device activation method, including:
  • the second device sends resource information to the first device, where the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: credentials supported by the second device Type, the configuration mode supported by the second device, the working status of the second device, and access authority information;
  • the second device performs a DTLS handshake with the first device according to the second owner transfer method to establish a secure connection
  • the second device receives the credential information sent by the first device through the secure connection, the credential information includes the owner credential, the credential for AMS to access the second device, and the credential for CMS to access the second device, so
  • the owner's certificate is determined according to the type of certificate supported by the second device;
  • the second device receives a security resource that is required when interacting with a third device sent by a management service, the third device is an activated terminal device, and the management service includes the AMS and/or the CMS.
  • an embodiment of the present application provides a first device that has a function of implementing the method described in the first aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more units corresponding to the above-mentioned functions.
  • an embodiment of the present application provides a first device, the first device includes a processor, and the processor is coupled with the memory, wherein:
  • the memory is used to store instructions
  • the processor is configured to receive resource information sent by a second device, where the resource information includes a first owner transfer method supported by the second device, and the resource information further includes at least one of the following: the second The type of credential supported by the device, the configuration mode supported by the second device, the working status of the second device, and access authority information; and the second owner configured to the second device is sent to the second device Transfer method and client-led configuration mode, the second owner transfer method is at least one owner transfer method among the first owner transfer methods; performing DTLS with the second device according to the second owner transfer method Shaking hands to establish a secure connection; and sending credential information to the second device through the secure connection, the credential information including the owner credential, the credential for AMS to access the second device and the credential for CMS to access the second device ,
  • the owner's certificate is determined according to the type of certificate supported by the second device, so that the management service sends the second device to the second device the security resources needed when the second device interacts with the third device, so
  • the third device is an activate
  • an embodiment of the present application provides a second device that has a function of implementing the method described in the second aspect.
  • the function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more units corresponding to the above-mentioned functions.
  • an embodiment of the present application provides a second device, the second device includes a processor, and the processor is coupled with the memory, wherein:
  • the memory is used to store instructions
  • the processor is configured to send resource information to a first device, the resource information includes a first owner transfer method supported by the second device, and the resource information further includes at least one of the following: the second device Supported credential types, configuration modes supported by the second device, working status of the second device, and access authority information; receiving the second owner transfer method and client-led configuration sent by the first device Mode, the second owner transfer method is at least one owner transfer method among the first owner transfer methods; DTLS handshake with the first device is performed according to the second owner transfer method to establish a secure connection; receiving; The credential information sent by the first device via the secure connection, the credential information includes the owner’s credential, the AMS’s credential for accessing the second device and the CMS’s credential for accessing the second device, the owner’s credential is based on The type of credential supported by the second device is determined; and the security resource required to interact with a third device sent by the management service is received.
  • the third device is an activated terminal device, and the management service includes the AMS and
  • an embodiment of the present application provides a computer storage medium, wherein the computer-readable storage medium stores a computer program or instruction, and when the program or instruction is executed by a processor, the processor executes The device activation method as described in the first aspect.
  • the embodiments of the present application provide a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute Part or all of the steps described in the first aspect of the application embodiment.
  • the computer program product may be a software installation package.
  • an embodiment of the present application provides a computer storage medium, wherein the computer-readable storage medium stores a computer program or instruction, and when the program or instruction is executed by a processor, the processor executes The device activation method as described in the second aspect.
  • an embodiment of the present application provides a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute Part or all of the steps described in the second aspect of the application embodiment.
  • the computer program product may be a software installation package.
  • the first device receives the resource information sent by the second device at one time
  • the resource information includes the first owner transfer method supported by the second device
  • the resource information further includes at least one of the following: Supported credential types, configuration modes supported by the second device, working status of the second device, and access authority information.
  • the first device sends to the second device the second owner transfer method and client for the second device configuration at one time
  • the first device performs a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection, and then the first device sends the owner's credentials to the second device through the secure connection at a time, and AMS accesses the second device’s
  • the voucher and the voucher for CMS to access the second device, so that the management service can send to the second device the security resources needed when the second device interacts with the third device.
  • Batch processing can be carried out and the device activation process can be merged to simplify the operation process. Save transmission overhead.
  • FIG. 1 is a schematic diagram of the architecture of a communication system provided by an embodiment of the present application.
  • Figure 2 is a schematic diagram of a collection resource provided by an embodiment of the present application.
  • FIG. 3 is an example flowchart of a device activation method provided by an embodiment of the present application.
  • FIG. 4 is a block diagram of the functional unit composition of a first device provided by an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of a first device provided by an embodiment of the present application.
  • FIG. 6 is a block diagram of a functional unit composition of a second device provided by an embodiment of the present application.
  • Fig. 7 is a schematic structural diagram of a second device provided by an embodiment of the present application.
  • Fig. 1 shows a schematic diagram of the architecture of a communication system involved in the present application.
  • the communication system may include a first device 101, a second device 102, a third device 103, and a management service 104.
  • the first device 101 establishes a communication connection with the second device 102 and the management service 104 respectively, and the second device 102 respectively establishes a communication connection with the management service 104.
  • 104 and the third device 103 establish a communication connection.
  • the first device 101 may be an activation tool (Onboarding Tool, OBT) device.
  • OBT Onboarding Tool
  • a legitimate user can use an Owner Transfer Method (Owner Transfer Method, OTM) through OBT devices to establish device ownership.
  • OTM Owner Transfer Method
  • the second device 102 can be set to a normal operating state, for example, the second device 102 can be configured with an OBT device to authorize the management service 104.
  • the first device may be a client, specifically an entity that operates server resources.
  • the second device 102 may be a device to be activated.
  • OCF Open Connectivity Foundation
  • devices need to be activated before they can operate in the network or interact with other activated devices. Based on this, the embodiments of this application will need to be activated
  • the device is called the device to be activated.
  • the second device may be a server.
  • the third device 103 may be an activated device.
  • the management service 104 may include an access management service (Access Management Service, AMS), a security credential management service (Credential Management Service, CMS), or a device ownership transfer service (Device Ownership Transfer Service, DOTS).
  • AMS Access Management Service
  • CMS security credential management service
  • DOTS Device Ownership Transfer Service
  • the management service 104 can set the credentials and access permissions for the second device 102 to interact with the third device 103, and finally enable the second device 102 to operate normally and interact with the third device 103.
  • the traditional device activation method is: discover new terminal devices, execute owner transfer method, establish device identity, establish owner credential, assign device to management service, configure device management service, and prepare for interaction between devices.
  • the execution sequence of the above operations It is fixed, and only one Security Virtual Resource (SVR) is operated at a time, which results in a cumbersome interaction process and high transmission overhead.
  • SVR Security Virtual Resource
  • the present application provides a device activation method.
  • the first device 101 can receive resource information sent by the second device 102, the resource information includes the first owner transfer method supported by the second device 102, and the resource information further includes at least one of the following: The credential type supported by the second device 102, the configuration mode supported by the second device 102, the working status of the second device 102, and the access authority information; the first device 101 sends to the second device 102 the configuration of the second device 102
  • the second owner transfer method and the client-led configuration mode, the second owner transfer method is at least one owner transfer method among the first owner transfer methods; the first device 101 performs data with the second device 102 according to the second owner transfer method
  • the packet transport layer security protocol Datagram Transport Layer Security, DTLS
  • the credential information includes the owner’s credential.
  • AMS accesses the second device 102.
  • the owner's credentials are determined according to the type of credentials supported by the second device 102, so that the management service 104 sends to the second device 102 that the second device 102 interacts with the third device 103 The required security resources.
  • this application can operate multiple SVRs at a time, that is, the device activation process is merged in batch processing, thereby simplifying the operation process and saving transmission overhead.
  • the SVR may include at least one of the following: owner transfer method, voucher type, configuration mode supported by the second device 102, working status of the second device 102, access authority information, client-led configuration mode, owner credential, AMS access section The credentials of the second device 102 and the credentials of the CMS to access the second device 102, as well as security resources, and so on.
  • the SVR may include "/oic/sec/doxm”, “/oic/sec/pstat", “/oic/sec/cred”, “/oic/sec/acl2” and other /oic/sec/obd resources.
  • the "/oic/sec/doxm” resource is a resource defined by the OCF standard, which describes the ownership transfer method supported by the second device 102 and the currently used ownership transfer method.
  • the "/oic/sec/pstat” resource is a resource defined by the OCF standard, which describes the configuration mode type supported by the second device 102 and the currently configured configuration mode.
  • the "/oic/sec/cred” resource is a resource defined by the OCF standard, and describes the credential information required to access the second device 102.
  • the “/oic/sec/acl2" resource is a resource defined by the OCF standard, which describes the access authority information of the second device 102 and so on.
  • FIG. 2 is a schematic diagram of Collection resources.
  • Collection resources can include OCF Links.
  • OCF Links represents a collection of one or more link resources. Multiple target resources or other Collection resources can be referenced through Collection resources.
  • a Collection resource contains the switch resources of device A (device identification is light) and the switch resources of device B (device identification is fan), forming a centralized resource group.
  • the client can request multiple resources at the same time by accessing the oic.if.b interface of the Collection resource.
  • the Collection resource handler will send the request to each resource in the links, and collect the response returned by each resource, and then return it in a unified manner. To the client.
  • the oic.if.b interface refers to an access interface used to access a batch of resources.
  • the second device may increase the /oic/sec/obd resource when it starts or enters the device ready OTM state (RFOTM).
  • the /oic/sec/obd resource may include the /oic/sec/doxm resource, the /oic/sec/pstat resource, the /oic/sec/cred resource, and the /oic/sec/acl2 resource, etc.
  • the /oic/sec/doxm resource can include the first owner transfer method supported by the second device, the /oic/sec/pstat resource can include the configuration mode supported by the second device, and the /oic/sec/cred resource can include the second
  • the type of credential and credential information supported by the device, the /oic/sec/acl2 resource can include access authority information, etc.
  • the first device can send a resource acquisition request to the second device through the oic.if.b interface that accesses the Collection resource, and the second device can use the Collection resource to convert the resource acquisition request into an owner transfer method acquisition request, configuration mode acquisition request, and voucher type Acquisition request and access permission acquisition request.
  • the second device may send the owner transfer method acquisition request to the /oic/sec/doxm resource through the Collection resource, and obtain the first owner transfer method supported by the second device from the /oic/sec/doxm resource.
  • the second device may send the configuration mode acquisition request to the /oic/sec/pstat resource through the Collection resource, and obtain the configuration mode supported by the second device from the /oic/sec/pstat resource.
  • the second device may send the credential type acquisition request to the /oic/sec/cred resource through the Collection resource, and obtain the credential type supported by the second device from the /oic/sec/cred resource.
  • the second device may send the access permission acquisition request to the /oic/sec/acl2 resource through the Collection resource, and obtain the access permission information from the /oic/sec/acl2 resource. Then, the second device can package the first owner transfer method supported by the second device, the configuration mode supported by the second device, the credential type supported by the second device, and the access authority information through the collection resource to generate resource information. Then, the second device can send the resource information to the first device through the collection resource.
  • FIG. 3 is a device activation method provided by an embodiment of the present application, and the method includes:
  • the second device sends resource information to the first device, the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: a credential type supported by the second device, Supported configuration modes, working status of the second device, and access authority information.
  • the first device may receive the resource information sent by the second device in a GET manner on a user datagram protocol (User Datagram Protocol, UDP) unicast channel.
  • UDP User Datagram Protocol
  • the second device returns the owner transfer method supported by the second device, the credential type supported by the second device, the configuration mode supported by the second device, the current working status of the second device, and the default acl2( "Anon-clear" and "auth-crypt” type ace2).
  • the owner transfer method supported by the second device may include at least one of the following: a simple (Just-works) method, a personal identification number (Personal Identification Number, PIN) method, a certificate method, and a manufacturer-defined method.
  • the voucher type supported by the second device may include symmetric voucher and/or asymmetric voucher.
  • a symmetric certificate may include a pair of symmetric keys or a group of symmetric keys.
  • Asymmetric credentials can include certificates or original asymmetric keys.
  • the configuration mode supported by the second device may include at least one of the following: a client-led configuration mode, a server-led and utilized a single configuration service, and a server-led and utilized multiple configuration services.
  • Device configuration can be client-led or server-led.
  • the client-led configuration relies on the client device to determine what, how, and when server-side resources should be instantiated and updated.
  • the server-led configuration depends on the server seeking configuration when the conditions are specified.
  • the server-led configuration relies on the configuration of the "rowneruuid" attribute in the "/oic/sec/doxm", “/oic/sec/cred” and “/oic/sec/acl2" resources to indicate the trusted DOTS respectively , CMS and AMS service device ID. Further, "/oic/sec/cred” should be configured with necessary credentials when the owner transfers it to establish a secure connection with appropriate supporting services.
  • the configuration status resource "/oic/sec/pstat" is used to enable the second device to perform self-directed configuration.
  • the second device knows its current configuration state and target configuration object. If there is a difference between the current and target states, the second device should query the "rowneruuid" attribute of the "/oic/sec/cred” resource to find out whether there is any suitable configuration service. If it is set to active, the second device should request configuration.
  • the om attribute of the "/oic/sec/pstat" resource will specify the expected device behavior under these conditions.
  • the self-directed configuration enables the device to operate with greater autonomy, so as to minimize the dependence on the central configuration organization and prevent it from becoming a single point of failure in the network.
  • the current working state of the second device may be RFOTM, device ready for configuration state (RFPRO), device ready for normal operation state (RFNOP), device reset state (RESET), or device soft reset state (SRESET).
  • RFPRO device ready for configuration state
  • RFIDP device ready for normal operation state
  • RESET device reset state
  • SRESET device soft reset state
  • the platform manufacturer should provide a physical mechanism (such as a button) to force the platform to reset. All devices carried on the same platform change the state of the second device to RESET when the platform is reset. When the device status is RESET, all SVR content is deleted and reset to the manufacturer's default value. The default manufacturer's device status is RESET. After successfully executing the RESET, the SRM transitions to the RFOTM state by setting the "s" attribute of the "/oic/sec/dostype" resource to RFOTM.
  • the second device in the RFOTM state refers to an operable device that is ready for ownership transfer.
  • the device status is RFOTM
  • OTM before OTM is successful, set the deviceuuid attribute of the "/oic/sec/doxm” resource to a temporary non-repeated value.
  • the "s" attribute of the "/oic/sec/dostype” resource is read-only for unauthenticated requesters.
  • the "s" attribute of the "/oic/sec/dostype” resource is readable and writable for the authorized requester.
  • SRM Secure Resource Manager
  • DOTS The state of other equipment cannot be changed unless the state of the equipment returns to RFOTM from RESET. DOTS may need to perform other configuration tasks in the RFOTM state. After completion, DOTS changes the "owned” attribute of the "/doxm” resource to "true".
  • RFPRO means that the second device is ready for other configurations.
  • the "s" attribute of the "/oic/sec/dostype" resource is read-only for unauthorized requesters and readable and writable for authorized requesters.
  • Authorized clients can configure SVR according to the requirements of the normal operation of RFNOP.
  • Authorized clients can perform a consistency check on the SVR to determine which should be reconfigured. Unsuccessful configuration of SVR may trigger the status change to RESET. For example, if the device has been converted from SRESET, but the consistency check continues to fail.
  • Authorize the client to set /pstat.dos.s RFNOP.
  • RFNOP refers to the final state of the second device that is an operable device.
  • the device status is RFNOP
  • the "/pstat.dos.s" attribute is read-only for unauthorized requesters and readable and writable for authorized requesters. With normal access procedures, SVRs and core resources can be accessed. The authorized client can convert the device to RFPRO. Only the device owner can switch the device to SRESET or RESET.
  • SRESET means that the second device is inoperable but still owned by the current owner.
  • SVR integrity cannot be guaranteed, but it is necessary to access certain SVR attributes.
  • SVR attributes include the devowneruuid attribute of the "/oic/sec/doxm” resource, the "creds”: [ ⁇ ..., ⁇ "subjectuuid”: ⁇ devowneruuid> ⁇ ,... ⁇ ] attribute of the "/oic/sec/cred” resource and the "/ The "s” attribute of the "/oic/sec/dostype” resource of the "oic/sec/pstat" resource.
  • the certificate for identifying and authorizing the device owner is sufficient to recreate the minimum required "/cred” and "/doxm” resources so that the device owner can control SRESET. If SRM cannot establish these resources, it will transition to the RESET state.
  • Authorized device owners can avoid entering the RESET and RFOTM states by writing RFPRO or RFNOP into the "dos.s" attribute of the "/pstat” resource.
  • ACLs on SVR are considered invalid. Only the device owner can access it.
  • the first device acquires the resources that need to be acquired multiple times in the traditional device activation method at one time, which simplifies the operation process and saves transmission overhead.
  • the first device may discover the device to be activated, that is, the second device. After the first device discovers the second device, it receives the resource information sent by the second device.
  • the second device may generate the resource information when detecting that the operating state of the second device is updated to the RFOTM state.
  • the /oic/sec/obd resource is automatically added when the second device enters the RFOTM state.
  • the /oic/sec/obd resource is a Collection resource (ie "oic.wk.col” type), which refers to the following target resources (for example, /oic/sec/doxm, /oic/sec/pstat, /oic/sec/cred, /oic/sec/acl2), the /oic/sec/obd resource supports the "oic.if.b" interface.
  • the device activation process can be implemented by performing an "oic.if.b" interface operation on the /oic/sec/obd resource.
  • the second device before the second device sends the resource information to the first device, the second device generates the resource information when detecting that the second device is in a running state.
  • the second device automatically generates the /oic/sec/obd resource when it is started.
  • the second device deletes the resource information when detecting that the operating state of the second device is updated to the RFNOP state or the RESET state.
  • the /oic/sec/obd resource can be automatically deleted.
  • the resource information may not be deleted.
  • the /oic/sec/obd resource may not be deleted, but the owner's Universally Unique Identifier (UUID) of the resource may be set as the device owner's UUID .
  • UUID Universally Unique Identifier
  • S302 The first device sends to the second device the second owner transfer method for the configuration of the second device and the client-led configuration mode.
  • the second owner transfer method is at least one owner transfer method among the first owner transfer methods.
  • the first device may send the second owner transfer method for the configuration of the second device and the client-led configuration mode to the second device in a POST manner on the UDP unicast channel.
  • the first device sends the resources that need to be sent multiple times in the traditional device activation method to the second device at one time, which can simplify the operation process and save transmission overhead.
  • the first device configures the second owner transfer method for the second device, which can realize the establishment of device ownership.
  • the goal of establishing device ownership is to allow legitimate users who own or purchase the second device to become the owner and administrator of the second device.
  • This process includes using OBT to establish ownership information between the second device and the first device, and to control and manage the second device.
  • OBT is a logical entity running on the second device or the first device, such as a network management console, device management tool, network monitoring tool, network configuration tool, home gateway or home automation controller.
  • the physical device running OBT should meet some security reinforcement requirements, and use integrity and confidentiality protection for the stored credentials.
  • the tool or server that establishes ownership is often referred to as OBT.
  • the "owner transfer" is used here because even for a new device, its ownership is transferred from the manufacturer to the purchaser.
  • S303 The first device performs a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection.
  • the first device can execute Just-Works OTM for DTLS handshake to establish a secure connection.
  • S304 The first device sends the credential information to the second device through the secure connection.
  • the credential information may include the owner's credential, the credential for the AMS to access the second device and the credential for the CMS to access the second device, and the owner's credential is determined according to the type of credential supported by the second device.
  • the first device may send the credential information to the second device through a POST method and a secure connection on a UDP unicast channel.
  • the owner's certificate may be composed of a certificate signed by the first device or other organization, user network access information, shared key, and so on.
  • the first device sends the resources that need to be sent multiple times in the traditional device activation method to the second device at one time, which can simplify the operation process and save transmission overhead.
  • the second device after the second device receives the credential information sent by the first device through the secure connection, if the second device successfully updates the data according to the credential information, the second device can update the operating status of the second device to the RFPRO state , The second device sends a first feedback message to the first device, and the first feedback message is used to indicate that the second device successfully updates the data.
  • the first feedback message may include the updated owner UUID and the device persistent UUID.
  • the first feedback message is used to indicate the first device.
  • the device successfully updated the data. If the second device fails to update the data, the second device sends a failure indication message to the first device.
  • the second device before the second device updates the operating status of the second device to the RFPRO state, when the second device accesses the owner UUID, resource owner UUID, owner's credentials, CMS's credentials for accessing the second device, and AMS access When the credentials of the second device are all updated successfully, the second device determines that the data update is successful.
  • the second device after the second device receives the credential information sent by the first device through the secure connection, if the second device fails to update data according to the credential information, the second device sends a second feedback message to the first device, and the second device sends a second feedback message to the first device.
  • the feedback message is used to indicate that the second device fails to update the data.
  • the second device if the second device fails to update the owner UUID, or fails to update the resource owner UUID, or fails to update the owner credential, or fails to update the CMS credential, or fails to update the AMS credential, the second device sends a second feedback to the first device Message, such as ⁇ "msg":"Internal Server operation error", "ec":2000 ⁇ .
  • the second device after the second device receives the credential information sent by the first device through the secure connection, if the second device does not support updating the device persistent UUID, the second device sends the device persistent UUID stored in the second device to the first device. UUID.
  • the second device after the second device receives the credential information sent by the first device through the secure connection, if the second device fails to update the device's persistent UUID, the second device sends a second feedback message to the first device, and the second device sends a second feedback message to the first device.
  • the feedback message is used to indicate that the second device fails to update the data.
  • the second device sends a second feedback message to the first device, such as ⁇ "msg":"Invalid parameter","ec":1100 ⁇ .
  • S305 The management service sends to the second device the security resources required when the second device interacts with the third device.
  • the first device may close the DTLS connection.
  • the first device receives the resource information sent by the second device at one time
  • the resource information includes the first owner transfer method supported by the second device
  • the resource information further includes at least one of the following: The type of credential, the configuration mode supported by the second device, the working status of the second device, and the access authority information
  • the first device sends to the second device the second owner transfer method and client-led configuration of the second device at one time
  • the first device performs a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection, and then the first device sends the owner's credentials to the second device through the secure connection at one time
  • the AMS accesses the credentials of the second device and CMS accesses the credentials of the second device, so that the management service can send the security resources required by the second device to the third device when the second device interacts with the third device.
  • Batch processing can be carried out and the device activation process can be merged, thereby simplifying the operation process and saving transmission Overhead.
  • the terminal device includes a hardware structure and/or software module corresponding to each function.
  • the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
  • the embodiment of the present application may divide the terminal device into functional units according to the foregoing method examples.
  • each functional unit may be divided corresponding to each function, or two or more functions may be integrated into one processing unit.
  • the above-mentioned integrated unit can be realized in the form of hardware or software program module. It should be noted that the division of units in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
  • FIG. 4 shows a block diagram of a possible functional unit composition of the first device involved in the foregoing embodiment, and the first device includes:
  • the communication unit 401 is configured to receive resource information sent by a second device, where the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: the second device Supported credential types, configuration modes supported by the second device, working status of the second device, and access authority information.
  • the communication unit 401 is further configured to send a second owner transfer method configured to the second device and a client-led configuration mode to the second device, and the second owner transfer method is the first owner transfer method At least one of the owner’s transfer methods.
  • the processing unit 402 is configured to perform a DTLS handshake with the second device according to the second owner transfer method to establish a secure connection.
  • the communication unit 401 is further configured to send credential information to the second device through the secure connection, the credential information including the owner's credential, the credential for AMS to access the second device and the credential for CMS to access the second device,
  • the owner credential is determined according to the credential type supported by the second device, so that the management service sends to the second device the security resources required by the second device to interact with the third device.
  • the third device is an activated terminal device, and the management service includes the AMS and/or the CMS.
  • the processing unit 402 may be a processor or a controller, and the communication unit 401 may be a transceiver, a transceiver circuit, a radio frequency chip, or the like.
  • the receiving of the resource information sent by the second device by the communication unit 401 includes:
  • the resource information sent by the second device is received in a GET manner on the UDP unicast channel.
  • the communication unit 401 sending the second owner transfer method for the second device configuration and the client-led configuration mode to the second device includes:
  • the second owner transfer method and the client-led configuration mode of the configuration of the second device are sent to the second device through the POST method on the UDP unicast channel.
  • the communication unit 401 sending credential information to the second device through the secure connection includes:
  • the credential information is sent to the second device through the POST mode and the secure connection on the UDP unicast channel.
  • the terminal device involved in the embodiment of the present application may be the first device shown in FIG. 5.
  • first device shown in FIG. 4 and FIG. 5 may be used to implement the steps performed by the first device in the above-mentioned embodiment, which will not be repeated in this embodiment of the application.
  • the communication unit 1001 receives the resource information sent by the second device, and sends the second owner transfer method and the client-led configuration mode for the second device configuration to the second device, and the processing unit 1002 according to the second owner
  • the transfer method performs a DTLS handshake with the second device to establish a secure connection.
  • the communication unit 1001 sends credential information to the second device through the secure connection, so that the management service sends the second device to the second device when the second device interacts with the third device. Safe resources can simplify the operation process and save transmission overhead.
  • FIG. 6 shows a block diagram of a possible functional unit composition of the second device involved in the foregoing embodiment, and the first device includes:
  • the communication unit 601 is configured to send resource information to a first device, where the resource information includes the first owner transfer method supported by the second device, and the resource information further includes at least one of the following: Supported credential types, configuration modes supported by the second device, working status of the second device, and access authority information.
  • the communication unit 601 is further configured to receive a second owner transfer method and a client-led configuration mode sent by the first device, and the second owner transfer method is at least one owner transfer method among the first owner transfer methods method.
  • the processing unit 602 is configured to perform a DTLS handshake with the first device according to the second owner transfer method to establish a secure connection.
  • the communication unit 601 is further configured to receive credential information sent by the first device via the secure connection, the credential information includes owner credential, AMS credential for accessing the second device, and CMS credential for accessing the second device , The owner credential is determined according to the credential type supported by the second device.
  • the communication unit 601 is further configured to receive security resources required when interacting with a third device sent by a management service, where the third device is an activated terminal device, and the management service includes the AMS and/or the CMS.
  • the processing unit 602 may be a processor or a controller, and the communication unit 601 may be a transceiver, a transceiver circuit, a radio frequency chip, or the like.
  • the method further includes:
  • the processing unit 602 updates the operating status of the second device to the device ready to configure RFPRO status;
  • the communication unit 601 sends a first feedback message to the first device, where the first feedback message is used to indicate that the second device successfully updates data.
  • the first feedback message includes the updated owner UUID and the device persistent UUID.
  • the method before the processing unit 602 updates the operating state of the second device to the RFPRO state, the method further includes:
  • the processing unit 602 determines that the data update is successful .
  • the method further includes:
  • the communication unit 601 sends a second feedback message to the first device, where the second feedback message is used to indicate that the second device fails to update data .
  • the method further includes:
  • the communication unit 601 sends the device persistent UUID stored by the second device to the first device.
  • the method further includes:
  • the communication unit 601 sends a second feedback message to the first device, where the second feedback message is used to indicate that the second device fails to update data.
  • the method before the communication unit 601 sends resource information to the first device, the method further includes:
  • the processing unit 602 generates the resource information when detecting that the operating status of the second device is updated to the OTM or RFOTM ready state of the device.
  • the method before the communication unit 601 sends resource information to the first device, the method further includes:
  • the processing unit 602 generates the resource information when detecting that the second device is in a running state.
  • the processing unit 602 is further configured to delete the resource information when it is detected that the operating state of the second device is updated to the RFNOP state or RESET.
  • the second device involved in the embodiment of the present application may be the second device shown in FIG. 7.
  • the second device shown in FIG. 6 and FIG. 7 may be used to implement the steps performed by the second device in the above-mentioned embodiment, which will not be repeated in this embodiment of the application.
  • the communication unit 1001 sends resource information to the first device, and receives the second owner transfer method and the client-led configuration mode sent by the first device, and the processing unit 1002 communicates with the second device according to the second owner transfer method Perform a DTLS handshake to establish a secure connection.
  • the communication unit 1001 receives the credential information sent by the first device through the secure connection, and receives the security resources required to interact with the third device from the management service, which simplifies the operation process and saves transmission. Overhead.
  • the embodiment of the present application also provides a computer-readable storage medium, wherein the computer-readable storage medium stores a computer program for electronic data exchange, wherein the computer program causes the computer to execute the method as described in the above method embodiment. Part or all of the steps described by a device.
  • the embodiments of the present application also provide a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute the method embodiments described above. Part or all of the steps described in the first device.
  • the computer program product may be a software installation package.
  • the embodiment of the present application also provides a computer-readable storage medium, wherein the computer-readable storage medium stores a computer program for electronic data exchange, wherein the computer program causes the computer to execute the method as described in the above method embodiment. 2. Part or all of the steps described in the device.
  • the embodiments of the present application also provide a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute the method embodiments described above. Part or all of the steps described in the second device.
  • the computer program product may be a software installation package.
  • the steps of the method or algorithm described in the embodiments of the present application may be implemented in a hardware manner, or may be implemented in a manner in which a processor executes software instructions.
  • Software instructions can be composed of corresponding software modules, which can be stored in random access memory (Random Access Memory, RAM), flash memory, read-only memory (Read Only Memory, ROM), and erasable programmable read-only memory ( Erasable Programmable ROM (EPROM), Electrically Erasable Programmable Read-Only Memory (Electrically EPROM, EEPROM), registers, hard disk, mobile hard disk, CD-ROM, or any other form of storage medium known in the art.
  • An exemplary storage medium is coupled to the processor, so that the processor can read information from the storage medium and write information to the storage medium.
  • the storage medium may also be an integral part of the processor.
  • the processor and the storage medium may be located in the ASIC.
  • the ASIC may be located in an access network device, a target network device, or a core network device.
  • the processor and the storage medium may also exist as discrete components in the access network device, the target network device, or the core network device.
  • the functions described in the embodiments of the present application may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • software it can be implemented in the form of a computer program product in whole or in part.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • the computer instructions may be transmitted from a website, computer, server, or data center. Transmission to another website, computer, server or data center via wired (such as coaxial cable, optical fiber, Digital Subscriber Line (DSL)) or wireless (such as infrared, wireless, microwave, etc.).
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), an optical medium (for example, a digital video disc (Digital Video Disc, DVD)), or a semiconductor medium (for example, a solid state disk (Solid State Disk, SSD)) )Wait.
  • a magnetic medium for example, a floppy disk, a hard disk, a magnetic tape
  • an optical medium for example, a digital video disc (Digital Video Disc, DVD)
  • a semiconductor medium for example, a solid state disk (Solid State Disk, SSD)

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne un procédé d'activation de dispositif, un dispositif terminal et un support de stockage informatique. Le procédé consiste : à recevoir par un premier dispositif des informations de ressource envoyées par un deuxième dispositif, les informations de ressource comprenant un premier procédé de transfert de propriétaire pris en charge par le deuxième dispositif, et les informations de ressource comprenant en outre au moins l'un des éléments suivants : un type de justificatif d'identité pris en charge par le deuxième dispositif, un mode de configuration pris en charge par le deuxième dispositif, l'état de fonctionnement du deuxième dispositif, et des informations d'autorisation d'accès (S301) ; à envoyer par le premier dispositif au deuxième dispositif un second procédé de transfert de propriétaire configuré pour le deuxième dispositif et un mode de configuration instigué par le client (S302) ; à réaliser grâce au premier dispositif un établissement de liaison DTLS avec le deuxième dispositif selon le second procédé de transfert de propriétaire afin d'établir une connexion sécurisée (S303) ; à envoyer par le premier dispositif des informations de justificatif d'identité au deuxième dispositif au moyen de la connexion sécurisée (S304). Le procédé peut simplifier le procédé d'exploitation et réduire le temps système de transmission.
PCT/CN2019/105784 2019-09-12 2019-09-12 Procédé d'activation de dispositif, dispositif terminal et support de stockage informatique WO2021046822A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201980095274.4A CN113647075B (zh) 2019-09-12 2019-09-12 设备激活方法、终端设备及计算机存储介质
PCT/CN2019/105784 WO2021046822A1 (fr) 2019-09-12 2019-09-12 Procédé d'activation de dispositif, dispositif terminal et support de stockage informatique

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/105784 WO2021046822A1 (fr) 2019-09-12 2019-09-12 Procédé d'activation de dispositif, dispositif terminal et support de stockage informatique

Publications (1)

Publication Number Publication Date
WO2021046822A1 true WO2021046822A1 (fr) 2021-03-18

Family

ID=74867004

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/105784 WO2021046822A1 (fr) 2019-09-12 2019-09-12 Procédé d'activation de dispositif, dispositif terminal et support de stockage informatique

Country Status (2)

Country Link
CN (1) CN113647075B (fr)
WO (1) WO2021046822A1 (fr)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104144152A (zh) * 2013-05-10 2014-11-12 中国电信股份有限公司 针对第三方资源提供方的授权方法与系统
CN104580316A (zh) * 2013-10-24 2015-04-29 深圳市国信互联科技有限公司 软件授权管理方法及系统
CN104883674A (zh) * 2014-02-28 2015-09-02 华为终端有限公司 一种Profile关联管理的方法及装置
CN105187409A (zh) * 2015-08-18 2015-12-23 杭州古北电子科技有限公司 一种设备授权系统及其授权方法
US20170195457A1 (en) * 2015-12-30 2017-07-06 Amazon Technologies, Inc. Service authorization handshake
CN108696868A (zh) * 2017-03-01 2018-10-23 西安西电捷通无线网络通信股份有限公司 用于网络连接的凭证信息的处理方法、装置和应用app

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101955976B1 (ko) * 2011-08-25 2019-03-08 엘지전자 주식회사 제한된 사용자 인터페이스를 가진 장치의 활성화
EP2981148B1 (fr) * 2014-06-24 2020-02-26 Huawei Technologies Co., Ltd. Procédé, appareil et système de gestion de dispositif
US20160366183A1 (en) * 2015-06-09 2016-12-15 Ned M. Smith System, Apparatus And Method For Access Control List Processing In A Constrained Environment
CN110235424B (zh) * 2017-01-20 2022-03-08 三星电子株式会社 用于在通信系统中提供和管理安全信息的设备和方法
US20190139017A1 (en) * 2017-11-03 2019-05-09 Sita Ypenburg B.V. Systems and methods for interactions between ticket holders and self service functions

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104144152A (zh) * 2013-05-10 2014-11-12 中国电信股份有限公司 针对第三方资源提供方的授权方法与系统
CN104580316A (zh) * 2013-10-24 2015-04-29 深圳市国信互联科技有限公司 软件授权管理方法及系统
CN104883674A (zh) * 2014-02-28 2015-09-02 华为终端有限公司 一种Profile关联管理的方法及装置
CN105187409A (zh) * 2015-08-18 2015-12-23 杭州古北电子科技有限公司 一种设备授权系统及其授权方法
US20170195457A1 (en) * 2015-12-30 2017-07-06 Amazon Technologies, Inc. Service authorization handshake
CN108696868A (zh) * 2017-03-01 2018-10-23 西安西电捷通无线网络通信股份有限公司 用于网络连接的凭证信息的处理方法、装置和应用app

Also Published As

Publication number Publication date
CN113647075A (zh) 2021-11-12
CN113647075B (zh) 2023-04-04

Similar Documents

Publication Publication Date Title
US7716721B2 (en) Method and apparatus for re-authentication of a computing device using cached state
US7194763B2 (en) Method and apparatus for determining authentication capabilities
KR101086576B1 (ko) 보안 프로토콜의 자동 협상 시스템 및 방법
EP2941855B1 (fr) Authentification d'un dispositif sans fil accueilli auprès d'un service d'accueil sans fil
CN101136746A (zh) 一种认证方法及系统
WO2023011016A1 (fr) Système, appareil et procédé de liaison de dispositif de l'internet des objets, ainsi que serveur en nuage et support d'enregistrement
JP2008060692A (ja) 管理計算機、計算機システム及びスイッチ
JP2002359631A (ja) コネクションセキュリティに基づいてネットワークリソースへのアクセスを制御する方法及びシステム
WO2010003354A1 (fr) Serveur d'authentification et procédé de commande pour l'accès d'un terminal de communication mobile à un réseau privé virtuel
WO2006058493A1 (fr) Procede et systeme d'authentification de domaine et d'autorite de reseau
WO2021196913A1 (fr) Procédé de protection de mise à jour de paramètre de terminal et dispositif de communication
WO2023005525A1 (fr) Procédé de configuration pour privilège de commande de dispositif, appareil, dispositif informatique et support de stockage
WO2021134562A1 (fr) Procédé et appareil de remplacement de dispositif de configuration, dispositif et support de stockage
WO2021046822A1 (fr) Procédé d'activation de dispositif, dispositif terminal et support de stockage informatique
KR20050122343A (ko) 네트워크 통합 관리 시스템
WO2023005649A1 (fr) Procédé et appareil de définition de permission de commande de dispositif, et dispositif informatique et support d'enregistrement
JP2008033831A (ja) 通信装置及び通信制御プログラム
KR20070078212A (ko) 공중 무선랜에서의 다중 모드 접속 인증 방법
US20030182398A1 (en) Method of establishing a logical association between connections
JP2006345302A (ja) ゲートウェイ装置およびプログラム
KR100429395B1 (ko) 보안 전송 계층의 사전 연관 설정을 이용한 에이에이에이시스템의 이중화 방법
JP2014154112A (ja) 通信データ中継装置およびプログラム
WO2023202412A1 (fr) Procédé et appareil de communication
JP5577976B2 (ja) ネットワーク中継装置
US20220286855A1 (en) Subscription information processing method and apparatus, and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19945061

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19945061

Country of ref document: EP

Kind code of ref document: A1