WO2022001272A1

WO2022001272A1 - Method and apparatus for device anti-counterfeiting

Info

Publication number: WO2022001272A1
Application number: PCT/CN2021/085663
Authority: WO
Inventors: 韩亚; 甘璐
Original assignee: 华为技术有限公司
Priority date: 2020-06-29
Filing date: 2021-04-06
Publication date: 2022-01-06
Also published as: CN113935744A

Abstract

A method and apparatus for device anti-counterfeiting, relating to the technical field of communications. The present invention is used for improving the security of anti-counterfeiting information of a terminal device, and reducing the risk that the terminal device is counterfeited. The method comprises: a cloud server obtains a root key and a device activation certificate from a certificate server, the root key being used for encrypting the anti-counterfeiting information of the terminal device, and the anti-counterfeiting information comprising a UUID and the device activation certificate (S201); the cloud server encrypts the UUID and the device activation certificate according to the root key to obtain encryption information (S202); the cloud server performs steganography of a first root key to a device QR code of the terminal device, the first root key being a partial key of the root key (S203); and the cloud server sends the device QR code, a second root key and the encryption information, the second root key and the first root key constituting the root key.

Description

Device anti-counterfeiting method and device

This application claims the priority of the Chinese patent application with the application number 202010603829.6 and the application title "An Equipment Anti-counterfeiting Method and Device", which was submitted to the State Intellectual Property Office on June 29, 2020, the entire contents of which are incorporated into this application by reference middle.

technical field

The present application relates to the field of communication technologies, and in particular, to a device anti-counterfeiting method and device.

Background technique

With the advent of the Internet of Things era, a large number of terminal devices have been connected to the network, such as smart TVs, smart air conditioners, smart refrigerators, smart cameras, smart speakers, smart sockets, and smart lamps. In order to ensure the legitimacy and network security of the terminal device, the device manufacturer usually activates the anti-counterfeiting capability of the terminal device during the initialization stage of the terminal device. When the terminal device accesses the network, the legitimacy of the terminal device can be verified through anti-counterfeiting authentication. At present, for a terminal device with a small storage space, a built-in device activation certificate is usually used to realize the anti-counterfeiting verification of the terminal device, and the device activation certificate is encrypted by a key generated in a hard-coded manner. However, the keys generated by hard coding can easily be obtained by criminals through reverse engineering and decryption to obtain device activation credentials, thereby forging terminal devices and even hijacking the entire network. Therefore, the deployment of anti-counterfeiting capabilities for such terminal devices with small storage space has become an important part that affects the security of the entire network.

SUMMARY OF THE INVENTION

The present application provides a device anti-counterfeiting method and device, which are used to improve the security of anti-counterfeiting information of a terminal device and reduce the risk of the terminal device being forged.

To achieve the above object, the application adopts the following technical solutions:

In a first aspect, a device anti-counterfeiting method is provided, the method includes: a cloud server obtains a root key and a device activation certificate from a certificate server, the root key is used to encrypt anti-counterfeiting information of a terminal device, and the anti-counterfeiting information includes a universal unique identification code UUID and the device activation certificate, for example, the device activation certificate can be a software token or certificate; the cloud server encrypts the UUID and the device activation certificate according to the root key to obtain encrypted information; the cloud server hides the first root key Write it into the device QR code of the terminal device (for example, the device QR code is embedded with an image, and the first root key is steganographically written in the image), and the first root key is the partial encryption of the root key. key; the cloud server sends the device QR code, the second root key and the encrypted information, the second root key is a partial key of the root key and forms a root key with the first root key, the device two The dimensional code can be printed on the body of the terminal device, and the second root key and encrypted information are used for storage in the terminal device.

In the above technical solution, the root key used to encrypt the anti-counterfeiting information of the terminal device can be divided into a first root key and a second root key, and the first root key is steganographically written in the device 2 of the terminal device body. In the dimensional code, the second root key is stored in the terminal device, thereby improving the security of the root key by storing the root key in different locations of the terminal device, and increasing the ability of illegal elements to crack the root key. The difficulty of the key, thereby greatly reducing the risk of forging the terminal device.

In a possible implementation manner of the first aspect, the cloud server encrypts the UUID and the device activation credential according to the root key to obtain encrypted information, including: the cloud server directly encrypts the UUID and the device activation certificate by using the root key certificate to obtain encrypted information; or, the cloud server encrypts the UUID and the device activation certificate using a key derived from the root key to obtain encrypted information. In the above possible implementation manner, the cloud server can directly use the root key or use the derived key of the root key to encrypt the UUID and the device activation credential, thereby improving the flexibility of the cloud server in using the root key; in addition, The security of the encrypted information can be further improved when encrypted using a key derived from the root key.

In a possible implementation manner of the first aspect, the method further includes: the cloud server generates a device two-dimensional code according to hardware information of the terminal device, where the hardware information includes a media intervention control MAC address and/or a device serial number. In the above possible implementation manner, the user can obtain the hardware information of the terminal device by scanning the two-dimensional code of the device, thereby improving the convenience for the user to know the hardware information of the terminal device, thereby improving the user experience.

In a possible implementation manner of the first aspect, the device activation credential is a software token or a certificate. The above-mentioned possible implementation manners can support device anti-counterfeiting of terminal devices that use software tokens or certificates as device activation credentials.

In a possible implementation manner of the first aspect, the terminal device is a smart home device. The above possible implementation manners can improve the security of the anti-counterfeiting information of the smart home device and reduce the risk of the terminal device being forged.

In a second aspect, a device anti-counterfeiting method is provided. The method includes: a second terminal device receives a first root key from a first terminal device, and the first root key is steganographically written in a device two-dimensional code of the second terminal device (For example, an image is embedded in the two-dimensional code of the device, and the first key is steganographically written in the image), the two-dimensional code of the device can be printed on the body of the second terminal device; The root key and the second root key stored by itself determine the root key; the second terminal device uses the root key to decrypt the encrypted information corresponding to the anti-counterfeiting information of the second terminal device to obtain the anti-counterfeiting information, and the anti-counterfeiting information includes universal unique The identification code UUID and the device activation certificate; the second terminal device activates the second terminal device according to the UUID and the device activation certificate.

In the above technical solution, the root key used to encrypt the anti-counterfeiting information of the second terminal device can be divided into a first root key and a second root key, and the first root key is steganographically written on the body of the second terminal device. In the two-dimensional code of the device, the second root key is stored in the second terminal device, so that the root key is stored in different locations of the second terminal device, the security of the root key is improved, and the It is difficult for illegal elements to crack the root key, thereby greatly reducing the risk of forging the second terminal device.

In a possible implementation manner of the second aspect, the method further includes: when a preset update condition is met, the second terminal device uses the first root key to update the second root key; optionally, preset update The conditions include at least one of the following: the system of the second terminal device is reset, the second terminal device is restored to factory settings, and the second terminal device receives a new device activation credential. In the above possible implementation manner, the second root key may be updated by the second terminal device to ensure the validity and security of the second root key, thereby improving the security of the root key.

In a possible implementation manner of the second aspect, the method further includes: the second terminal device sends the second root key to the cloud server. The above possible implementation manners can ensure that the cloud server obtains a safe and effective second root key.

In a possible implementation manner of the second aspect, the device two-dimensional code is generated based on hardware information of the second terminal device, and the hardware information includes a media intervention control MAC address and/or a device serial number. In the above possible implementation manner, the user can obtain the hardware information of the terminal device by scanning the two-dimensional code of the device, thereby improving the convenience for the user to know the hardware information of the terminal device, thereby improving the user experience.

In a possible implementation manner of the second aspect, the second terminal device uses the root key to decrypt the encrypted information corresponding to the anti-counterfeiting information of the second terminal device, including: the second terminal device directly decrypts the second terminal device by using the root key The encrypted information corresponding to the anti-counterfeiting information of the terminal device; or, the second terminal device directly decrypts the encrypted information corresponding to the anti-counterfeiting information of the second terminal device using the derived key of the root key. In the above possible implementation manner, the second terminal device can directly use the root key or use the derived key of the root key to decrypt the UUID and the device activation credential, thereby improving the flexibility of the second terminal device in using the root key. In addition, the security of encrypted information can be further improved when decrypting with a key derived from the root key.

In a possible implementation manner of the second aspect, the device activation credential is a software token or a certificate. The above-mentioned possible implementation manners can support device anti-counterfeiting of terminal devices that use software tokens or certificates as device activation credentials.

In a possible implementation manner of the second aspect, the second terminal device is a smart home device. The above possible implementation manners can improve the security of the anti-counterfeiting information of the smart home device and reduce the risk of the terminal device being forged.

In a third aspect, a device anti-counterfeiting method is provided, the method comprising: a first terminal device scans a device two-dimensional code of a second terminal device to obtain a first root key, and the first root key is steganographically written in the device two-dimensional code (For example, an image is embedded in the two-dimensional code of the device, and the first key is steganographically written in the image), the two-dimensional code of the device can be printed on the body of the second terminal device; the first terminal device communicates to the second terminal device. The terminal device sends the first root key, the first root key and the second root key stored in the second terminal device constitute the root key, and the root key is used to decrypt the encryption corresponding to the anti-counterfeiting information of the second terminal device information, the anti-counterfeiting information includes UUID and device activation certificate.

In the above technical solution, the root key used to encrypt the anti-counterfeiting information of the second terminal device can be divided into a first root key and a second root key, and the first root key is steganographically written in the device of the second terminal device. In the two-dimensional code (for example, an image is embedded in the two-dimensional code of the device, and the first root key is steganographically written in the image), the second root key is stored in the second terminal device, so that by using the root key The key is distributed in different locations of the second terminal device, which improves the security of the root key, increases the difficulty for illegal elements to decipher the root key, and greatly reduces the risk of forging the second terminal device.

In a possible implementation manner of the third aspect, the device two-dimensional code is generated based on hardware information of the second terminal device, and the hardware information includes a media intervention control MAC address and/or a device serial number. In the above possible implementation manner, the user can obtain the hardware information of the terminal device by scanning the two-dimensional code of the device, thereby improving the convenience for the user to know the hardware information of the terminal device, thereby improving the user experience.

In a possible implementation manner of the third aspect, the second root key and the encrypted information are stored in the second terminal device.

In a possible implementation manner of the third aspect, the device activation credential is a software token or a certificate. The above possible implementation manners can improve the security of the anti-counterfeiting information of the smart home device and reduce the risk of the terminal device being forged.

In a possible implementation manner of the third aspect, the second terminal device is a smart home device. The above-mentioned possible implementation manners can support device anti-counterfeiting of terminal devices that use software tokens or certificates as device activation credentials.

In a fourth aspect, a device anti-counterfeiting method is provided, and the method is applied in a communication system including a credential server, a cloud server, a first terminal device and a second terminal device; wherein the credential server can be used to assign a root to the second terminal device The key and the device activation certificate; the cloud server can be used to execute the method provided by the first aspect or any possible implementation manner of the first aspect; the second terminal device can be used to execute the second aspect or any one of the second aspect The method provided by a possible implementation manner; the first terminal device can be used to execute the method provided by the third aspect or any possible implementation manner of the third aspect.

In a fifth aspect, a device anti-counterfeiting device is provided. As a cloud server, the device includes: a receiving unit configured to obtain a root key and a device activation certificate from a certificate server, where the root key is used to encrypt anti-counterfeiting information of a terminal device, the The anti-counterfeiting information includes the universal unique identification code UUID and the device activation certificate; the processing unit is used to encrypt the UUID and the device activation certificate according to the root key to obtain encrypted information; the processing unit is also used to steganographically write the first root key to the terminal device In the device QR code of the device (for example, the device QR code is embedded with an image, and the first root key is steganographically written in the image), the first root key is a partial key of the root key, and the device QR code The code can be printed on the body of the terminal device; the sending unit is used to send the device two-dimensional code, the second root key and encrypted information, and the second root key is a partial key of the root key and is the same as the first root key. The key constitutes the root key.

In a possible implementation manner of the fifth aspect, the second root key and encrypted information are stored in the terminal device.

In a possible implementation manner of the fifth aspect, the processing unit is further configured to: directly encrypt the UUID and the device activation credential by using the root key to obtain encrypted information; or, encrypt the UUID and the device activation using a key derived from the root key Credentials to get encrypted information.

In a possible implementation manner of the fifth aspect, the processing unit is further configured to: generate a device two-dimensional code according to hardware information of the terminal device, where the hardware information includes a media intervention control MAC address and/or a device serial number.

In a sixth aspect, a device anti-counterfeiting device is provided, the device comprising: a receiving unit configured to receive a first root key from a first terminal device, where the first root key is steganographically written in a device two-dimensional code of the second terminal device (for example, an image is embedded in the two-dimensional code of the device, and the first key is steganographically written in the image), the two-dimensional code of the device can be printed on the body of the second terminal device; the processing unit is used to The first root key and the second root key stored by itself determine the root key; the processing unit is further configured to decrypt the encrypted information corresponding to the anti-counterfeiting information of the second terminal device according to the root key to obtain anti-counterfeiting information, where the anti-counterfeiting information includes general The unique identification code UUID and the device activation certificate, for example, the device activation certificate is a software token or certificate; the processing unit is further configured to activate the second terminal device according to the UUID and the device activation certificate.

In a possible implementation manner of the sixth aspect, the processing unit is further configured to: when a preset update condition is satisfied, the second terminal device updates the second root key according to the first root key.

In a possible implementation manner of the sixth aspect, the apparatus further includes: a sending unit, configured to send the second root key to the cloud server.

In a possible implementation manner of the sixth aspect, the preset update condition includes at least one of the following: system reset of the second terminal device, factory reset of the second terminal device, and receipt of a new device activation certificate by the second terminal device .

In a possible implementation manner of the sixth aspect, the device two-dimensional code is generated based on hardware information of the second terminal device, and the hardware information includes a media intervention control MAC address and/or a device serial number.

In a possible implementation manner of the sixth aspect, the processing unit is further configured to: directly use the root key to decrypt the encrypted information corresponding to the anti-counterfeiting information of the second terminal device; or, directly use the derived key of the root key to decrypt the first The encrypted information corresponding to the anti-counterfeiting information of the second terminal device.

In a seventh aspect, a device anti-counterfeiting device is provided, the device comprising: a processing unit configured to scan a device two-dimensional code of a second terminal device to obtain a first root key, and the first root key is steganographically written in the device two-dimensional code (for example, an image is embedded in the two-dimensional code of the device, and the first key is steganographically written in the image), the two-dimensional code of the device can be printed on the body of the second terminal device; the sending unit is used to send The second terminal device sends the first root key, the first root key and the second root key stored in the second terminal device constitute the root key, and the root key is used to decrypt the corresponding anti-counterfeiting information of the second terminal device Encrypted information, anti-counterfeiting information includes UUID and device activation certificate.

In a possible implementation manner of the seventh aspect, the device two-dimensional code is generated based on hardware information of the second terminal device, and the hardware information includes a media intervention control MAC address and/or a device serial number.

In a possible implementation manner of the seventh aspect, the second root key and the encrypted information are stored in the second terminal device.

In a possible implementation manner of the seventh aspect, the device activation credential is a software token or a certificate.

In a possible implementation manner of the seventh aspect, the second terminal device is a smart home device.

In another aspect of the present application, a device anti-counterfeiting device is provided, the device is a cloud server or a chip built into the cloud server, the device includes: a memory, and a processor coupled with the memory, the memory stores codes and data, and processes The code in the running memory of the processor causes the apparatus to execute the device anti-counterfeiting method provided by the first aspect or any possible implementation manner of the first aspect.

In another aspect of the present application, a device anti-counterfeiting device is provided, the device is a second terminal device or a chip built in the second terminal device, the device includes: a memory and a processor coupled to the memory, the memory stores codes and data, the processor runs the code in the memory to cause the apparatus to execute the device anti-counterfeiting method provided by the second aspect or any possible implementation manner of the second aspect.

In another aspect of the present application, a device anti-counterfeiting device is provided, the device is a first terminal device or a chip built in the first terminal device, the device includes: a memory, and a processor coupled to the memory, where codes are stored in the memory and data, the processor runs the code in the memory to cause the apparatus to execute the device anti-counterfeiting method provided by the third aspect or any possible implementation manner of the third aspect.

In yet another aspect of the present application, a communication system is provided, the communication system includes a credential server, a first terminal device of a cloud server, and a second terminal device; wherein the cloud server is the cloud server provided in any of the above aspects, and is used for executing The method provided by the first aspect or any possible implementation manner of the first aspect; the second terminal device is the second terminal device provided by any of the above aspects, and is used to execute the second aspect or any one of the second aspects The method provided by a possible implementation manner; the first terminal device is the first terminal device provided in any of the foregoing aspects, and is configured to execute the third aspect or the method provided by any of the possible implementation manners of the third aspect.

In yet another aspect of the present application, a readable storage medium is provided, and instructions are stored in the readable storage medium, and when the readable storage medium runs on a device, the device causes the device to perform the above-mentioned first to sixth aspects. A method provided by any one of the three aspects or any possible implementation manner.

In yet another aspect of the present application, a computer program product is provided, which, when the computer program product runs on a computer, causes the computer to perform any one of the above-mentioned first to third aspects or any possible possibility methods provided by the implementation.

It can be understood that the device, computer storage medium or computer program product of any device anti-counterfeiting method provided above are all used to execute the corresponding method provided above. Therefore, the beneficial effects that can be achieved can be referred to the above. The beneficial effects in the corresponding method provided will not be repeated here.

Description of drawings

FIG. 1 is a schematic structural diagram of a communication system according to an embodiment of the present application;

2 is a schematic flowchart of a device anti-counterfeiting method provided by an embodiment of the present application;

3 is a schematic diagram of a device two-dimensional code provided by an embodiment of the present application;

4 is a schematic flowchart of another device anti-counterfeiting method provided by an embodiment of the present application;

FIG. 5 is a schematic interface diagram of a terminal device provided by an embodiment of the present application;

FIG. 6 is a schematic interface diagram of another terminal device provided by an embodiment of the present application;

FIG. 7 is a schematic structural diagram of a cloud server according to an embodiment of the present application;

FIG. 8 is a schematic structural diagram of another cloud server provided by an embodiment of the present application;

FIG. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application;

FIG. 10 is a schematic structural diagram of another terminal device provided by an embodiment of the present application.

detailed description

In this application, "at least one" means one or more, and "plurality" means two or more. "And/or", which describes the association relationship of the associated objects, indicates that there can be three kinds of relationships, for example, A and/or B, which can indicate: the existence of A alone, the existence of A and B at the same time, and the existence of B alone, where A, B can be singular or plural. The character "/" generally indicates that the associated objects are an "or" relationship. "At least one item(s) below" or similar expressions thereof refer to any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (a) of a, b or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, and c may be single or multiple.

It should be noted that, in this application, words such as "exemplary" or "for example" are used to represent examples, illustrations or illustrations. Any embodiment or design described in this application as "exemplary" or "such as" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present the related concepts in a specific manner.

The technical solutions provided by the present application can be applied to the scenario of burning anti-counterfeiting information of the terminal device, the scenario of activating the anti-counterfeiting information, and the scenario of updating the anti-counterfeiting information. Wherein, the burning scenario of anti-counterfeiting information may refer to a scenario in which the manufacturer of the terminal device stores or burns relevant information such as anti-counterfeiting information or a key used to encrypt anti-counterfeiting information to the terminal device before the terminal device leaves the factory, for example, The key used to encrypt the anti-counterfeiting information is integrated into the memory of the terminal device by hard coding; the activation scenario of the anti-counterfeiting information may refer to the user obtaining the anti-counterfeiting information of the terminal device when using the terminal device after the terminal device leaves the factory The scenario of activating the terminal device in the network according to the anti-counterfeiting information; the update scenario of the anti-counterfeiting information may refer to the scenario of replacing the anti-counterfeiting information of the terminal device and updating the replaced anti-counterfeiting information to the network. In addition, the anti-counterfeiting information may include a universally unique identifier (UUID) and a device activation certificate, and the device activation certificate may be based on a public key infrastructure (PKI) technology and/or a certificate authority (certification authority) , CA) technology, a kind of credential information used to ensure the legitimacy and security of terminal equipment generated by means of digital certificates, digital signatures, data encryption and security credentials.

Optionally, the device activation certificate (also referred to as anti-counterfeiting information) may include two types according to the device security capability: the first type is a software token (license) issued by the manufacturer, and the second type is a certificate issued by the manufacturer. The device's activation certificate is mainly used to prove that the device is produced by a legitimate manufacturer. Among them, the software token is a random string issued by the manufacturer for the device, and is burned into the device when the device is produced. During the device activation process, it is necessary to compare the software token of the device with the server token. After passing, you can enter the next step of device activation. The software token method has relatively low requirements on the computing power of the device. A certificate is a digital certificate issued by a manufacturer for a device. It is used to verify whether the device manufacturer is legitimate when the device is activated. Compared with the form of software token, it is more secure and reliable, but it has higher requirements on the computing power of the device. The two activation credential methods can be applied to different device types. For example, a software token can be applied to a device with low computing power, and a certificate can be applied to a device with high computing power.

In this application, the above-mentioned terminal device can be a device with wireless communication function, which can be deployed on land, including indoor or outdoor, handheld or vehicle-mounted, can also be deployed on water (such as ships, etc.), and can also be deployed on In the air (eg on airplanes, balloons and satellites, etc.). The terminal device may also be referred to as a user equipment (user equipment, UE), a terminal (terminal), or an electronic device, or the like. For example, the terminal device includes a handheld device with a wireless connection function, a vehicle-mounted device, and the like. In one example, the terminal device may include: a mobile phone (mobile phone), a tablet computer, a notebook computer, a palmtop computer, a mobile internet device (MID), a wearable device (such as a smart watch, a smart bracelet, pedometers, etc.), in-vehicle equipment (for example, cars, bicycles, electric vehicles, airplanes, ships, trains, high-speed trains, etc.), virtual reality (VR) equipment, augmented reality (AR) equipment, industrial control Wireless terminals in (industrial control), smart home devices (such as refrigerators, TVs, air conditioners, electricity meters, etc.), intelligent robots, workshop equipment, wireless terminals in self-driving, remote medical surgery ), wireless terminal equipment in smart grid, wireless terminal equipment in transportation safety, wireless terminal equipment in smart city, or wireless terminal equipment in smart home wireless terminal equipment, flying equipment (for example, intelligent robots, hot air balloons, drones, airplanes), etc. In a possible application scenario of the present application, the terminal device is a terminal device that often works on the ground, such as a vehicle-mounted device. In this application, for ease of description, chips deployed in the above-mentioned devices, such as system-on-a-chip (SOC), baseband chips, etc., or other chips with communication functions, may also be referred to as terminal devices.

As a possible example, in this embodiment of the present application, the terminal device may further include a wearable device. Wearable devices can also be called wearable smart devices, which are the general term for the intelligent design of daily wear and the development of wearable devices using wearable technology, such as glasses, gloves, watches, clothing and shoes. A wearable device is a portable device that is worn directly on the body or integrated into the user's clothing or accessories. Wearable device is not only a hardware device, but also realizes powerful functions through software support, data interaction, and cloud interaction. In a broad sense, wearable smart devices include full-featured, large-scale, complete or partial functions without relying on smart phones, such as smart watches or smart glasses, and only focus on a certain type of application function, which needs to cooperate with other devices such as smart phones. Use, such as all kinds of smart bracelets, smart jewelry, etc. for physical sign monitoring.

As another possible example, in this embodiment of the present application, the terminal device may further include a smart home device, and the smart home device may refer to various home devices applied in a smart home. For example, the smart home equipment can include smart anti-theft products such as smart locks. The smart anti-theft products can coordinate with each other through various alarms and detectors to trigger alarm information in the deployed state, which plays a role in security and anti-theft. effect. For another example, the smart home device may also include smart lighting products such as smart lights, and the user can easily view and control the switching status of the lighting products in the home directly through terminal devices such as mobile phones and tablet computers. For another example, the smart home device may also include home appliance control products such as a smart home appliance controller. The home appliance control product can associate infrared wireless signals to control any device using an infrared remote control through a terminal device, such as TV, air conditioner, electric curtain, etc. In addition, the smart home device can also include an air quality sensor. Users can conveniently view the indoor temperature, humidity and environmental conditions monitored by the air quality sensor on the APP of the terminal device, and can link other electrical equipment in the home to improve the indoor environment. Provide users with better enjoyment. Further, the smart home device can also include a mobile phone smart door lock. Users only need to take out terminal devices such as mobile phones and tablet computers and enter a password to realize automatic unlocking. At the same time, users can also remotely unlock for family members or visitors. Exemplarily, an application (application, app) that can be used to select and control various smart home devices is installed in the user's mobile phone, the user's smart TV and the mobile phone are both connected to the same network, and the user can select in the app. The control interface of the smart TV, for example, the control interface includes multiple buttons such as power on, power off, volume +, volume -, next program and previous program, then the user can click the power on or power off button to turn on or off the Smart TV, or click the volume + or volume - button to increase or decrease the playback volume of the smart TV, or click the button of the next program or the previous program to switch the playing program, etc.

FIG. 1 is a schematic structural diagram of a communication system provided by an embodiment of the present application. The communication system may include a credential server 101 , a cloud server 102 , a first terminal device 103 and a second terminal device 104 .

Wherein, the credential server 101 may refer to a server responsible for related services such as issuance and management of credential information of terminal devices. The credential server 101 may be provided by the manufacturer of the terminal device. The cloud server 102 may refer to a server used to provide cloud services for the terminal device. The cloud server 102 may be provided by the manufacturer of the terminal device or provided by a third party. The cloud server 102 may be used to forward the certificate server 101 to the terminal device as the terminal Device-assigned or generated device-activation credentials. The first terminal device 103 and the second terminal device 104 are both terminal devices, which can communicate with the cloud server 102 , and communicate with the credential server 101 through the cloud server 102 .

In this application, both the first terminal device 103 and the second terminal device 104 may be the terminal devices described above. For ease of description, the terminal device may be divided into a first terminal device 103 and a second terminal device 104 herein, and the first terminal device 103 may refer to a terminal device that can be used to control the second terminal device 104 . For example, the second terminal device 104 may be a smart home device such as a TV, an air conditioner, a refrigerator, a camera, a smart speaker, a smart socket, and a smart lamp, and the first terminal device 103 may be a smart home device installed with a smart home application (application, app). For terminal devices such as mobile phones, tablet computers, and palmtop computers, the first terminal device 103 can control the second terminal device 104 through the smart home app. The smart home app here may refer to a software program that can select and control various home devices in the home, and the smart home app can be installed on the terminal device. The smart home app may be an app installed by the first terminal device 103 when it leaves the factory, or may be an app downloaded by the user from the network or acquired and installed from other devices during the use of the first terminal device 103 .

FIG. 2 is a schematic flowchart of a device anti-counterfeiting method provided by an embodiment of the present application, and the method can be applied to a scene of programming anti-counterfeiting information of a terminal device. The method can be applied to the communication system shown in FIG. 1 , and the method includes the following steps.

S201: The cloud server obtains a root key and a device activation certificate from a certificate server, where the root key is used to encrypt anti-counterfeiting information of the terminal device, and the anti-counterfeiting information may include a universally unique identifier (UUID) and a device activation certificate.

Wherein, the UUID of the terminal device can be used to uniquely identify the terminal device, the device activation certificate (also referred to as manufacturer identification information) of the terminal device can refer to the identification information of the manufacturer that produces the terminal device, and the device activation certificate can be Used to identify the legitimacy of the terminal device, for example, the device activation credential may be the manufacturer's certificate or software token or the like.

Specifically, when the cloud server establishes a secure connection with the credential server, the cloud server may request the credential server for the device activation credential and root key (ROT) of the terminal device. For example, the cloud server may send request information to the credential server, and the request The information may carry the identification of the terminal device and be used to request the device activation credential and root key of the terminal device. When the credential server receives the request information, the credential server can assign a root key to the terminal device, and send the device activation credential and the root key to the cloud server. When the cloud server receives the device activation certificate and the root key, the cloud server can assign a UUID to the terminal device, and bind the UUID to the device activation certificate. After that, the cloud server may send the information of binding the UUID and the device activation certificate to the certificate server, and the certificate server may store the information when receiving the bound information.

S202: The cloud server encrypts the UUID and the device activation certificate according to the root key to obtain encrypted information.

After the cloud server receives the root key and the device activation certificate and assigns a UUID to the terminal device, the cloud server can use the root key to encrypt the UUID and the device activation certificate respectively, that is, the cloud server uses the root key Encrypting the UUID to obtain the ciphertext of the UUID, and encrypting the device activation credential with the root key to obtain the ciphertext of the device activation credential, the ciphertext of the UUID and the ciphertext of the device activation credential are encrypted information. Alternatively, the cloud server may also take the UUID and the device activation certificate as a whole, and encrypt the whole information with the root key to obtain the ciphertext of the whole information, and the cipher text of the whole information is the encrypted information.

Optionally, when the cloud server uses the root key to encrypt the UUID and the device activation certificate, the cloud server can directly use the root key for encryption, or can use a derived key of the root key for encryption. A key derived from the key may be a key generated based on the root key. For example, the root key is key 1, and the derived key can be the key obtained after key 1 is cyclically shifted, or the key obtained after the AND operation between key 1 and a certain fixed value, etc. This embodiment of the present application does not specifically limit this.

S203: The cloud server steganographically writes the first root key into the image, and embeds the image into the two-dimensional code of the device, where the first root key is a partial key of the root key.

The root key may include two parts, the first part may be referred to as the first root key, and the second part may be referred to as the second root key. The two parts included in the root key may be obtained by dividing the cloud server according to the root key dividing rule, and the root key dividing rule may be preset. For example, the root key is an 8-bit binary, the first root key may be the first four binary digits of the 8-bit binary, and the second root key may be the last four binary of the 8-bit binary.

In addition, the image of the steganographic first root key may be a random image or an image related to the terminal device. For example, the image of the steganographic first root key may be an image of the logo of the manufacturer producing the terminal device. . The image of the steganographic first root key can also be specified by the manufacturer of the terminal device. This embodiment of the present application does not specifically limit the image for steganographically writing the first root key.

Furthermore, the device two-dimensional code can be a two-dimensional code generated based on the hardware information of the terminal device, for example, the hardware information can include the media access control (media access control, MAC) address and device serial number of the terminal device. Wait. The device QR code can be generated by the cloud server, or generated by other devices and sent to the cloud server.

Specifically, the cloud server may divide the root key into a first root key and a second root key according to the above root key division rule. The cloud server can use data steganography technology to steganographic the first root key into the image, and generate a device QR code based on the hardware information of the terminal device, and then embed the image with the first root key steganographic into the image. In the two-dimensional code of the device, the image with the first key steganographic does not affect the normal reading of the two-dimensional code of the device. For example, as shown in FIG. 3 , a schematic diagram of a device two-dimensional code provided by an embodiment of the present application, an image in which the first root key is steganographically written may be embedded in the middle area of the device two-dimensional code.

S204: The cloud server sends the device two-dimensional code, the second root key and the encrypted information to the terminal device, so that the device two-dimensional code is printed on the body of the terminal device, the second root key and the encrypted information Information is stored in the terminal device.

When the cloud server obtains the device QR code embedded with the image steganographically embedded with the first root key and the encrypted information, the cloud server can send the device QR code, the second root key and the encrypted information to the terminal device . The cloud server may send all the above information to the terminal device at one time; or, the cloud server sends the above information to the terminal device multiple times, and only sends part of the above information each time. For example, the cloud server sends the QR code of the device to the terminal device when it is sent for the first time, and sends the second root key and the encrypted information to the terminal device when it is sent for the second time.

When the terminal device receives the two-dimensional code of the device, the second root key and the encrypted information, the manufacturer of the terminal device can print the two-dimensional code of the device on the body (for example, the casing) of the terminal device, The second root key and the encrypted information are written into the terminal device by means of hard coding, for example, the second root key and the encrypted information are written into the code segment of the terminal device.

In this embodiment of the present application, before the terminal device leaves the factory, the root key used to encrypt the anti-counterfeiting information of the terminal device may be divided into a first root key and a second root key, and the first root key is hidden Written in the image and embedded in the device QR code printed on the body of the terminal device, the second root key is stored in the terminal device, so that by dispersing the root key in different locations of the terminal device, The security of the root key is improved, and the difficulty of cracking the root key by illegal elements is increased, thereby greatly reducing the risk of forging the terminal device.

FIG. 4 is a schematic flowchart of a device anti-counterfeiting method provided by an embodiment of the present application, and the method can be applied to an activation scenario of anti-counterfeiting information of a terminal device. The method can be applied to the communication system shown in FIG. 1 , and the method includes the following steps.

S301: The first terminal device scans and parses the device two-dimensional code of the second terminal device to obtain the first root key.

Wherein, the two-dimensional code of the device may be located on the body (for example, the casing) of the second terminal device, and the two-dimensional code of the device may be generated based on hardware information (for example, MAC address and device serial number, etc.) of the second terminal device QR code. An image may be embedded in the two-dimensional code of the device, the first key may be steganographied in the image, and the embedding of the image will not affect the normal reading of the two-dimensional code of the device.

In addition, the first terminal device may be installed with an app capable of parsing the key, and the app may refer to an app authorized by the manufacturer producing the second terminal device. The user may log in to the app with a legal user account, and the user account may be The legal account applied by the user that can log in to the app. For example, the app may be a smart home app, and the smart home app may refer to a software program capable of selecting and controlling various home devices (eg, speakers, TVs, air conditioners, etc.) in the home.

Exemplarily, as shown in (a) of FIG. 5 , it is a schematic interface diagram of a smart home app installed on the first terminal device, and the name of the smart home app may be "My Home". The user can enter the login interface of the smart home app as shown in (b) in Figure 5 by clicking the icon "My Home", and can successfully log in to the smart home app by entering the corresponding user name and password in the login interface. Smart home app. (c) in Figure 5 is a schematic diagram of an interface after successful login, in which the temperature and humidity of the indoor environment can be displayed, as well as various household devices that have joined the network. For example, the household devices can include speakers, TVs, Air conditioners, washing machines, water heaters, etc., users can control the household equipment by selecting different household equipment.

Specifically, after the user logs in to the user account on the app installed on the first terminal device that can parse the key, the user can use the first terminal device to scan the device QR code of the second terminal device, for example, use the app's scan code The function scans the device two-dimensional code of the second terminal device, thereby obtaining the first root key steganographically embedded in the image of the device two-dimensional code. Optionally, the user may also set the permission to use the app installed on the first terminal device. For example, the permission to use the app may include permission to parse keys, permission to access the network, permission to use the camera, permission to access the address book, and the like. For example, taking the app as "My Home" shown in Fig. 5 as an example, as shown in Fig. 6, the user can set the usage authority of "My Home" in the "Settings" option of the first terminal device. Permissions can include multiple different permissions, such as access to the network, permission to use the camera, permission to parse keys, and permission to access the address book. Users can control the opening or closing of each permission by clicking the corresponding on or off button for each permission. closure. Wherein, when the use authority of the app is the authority to open the parsing key, when the app scans the device two-dimensional code of the second terminal device, it can parse and obtain the first root steganographic in the image embedded in the two-dimensional code of the device. key.

S302: The first terminal device sends the first root key to the second terminal device.

Wherein, a wireless connection can be established and bound between the first terminal device and the second terminal device. The wireless connection is a Bluetooth connection or a local area network connection. When the first terminal device parses and obtains the first root key, the first terminal device can The first root key is sent to the second terminal device via the wireless connection.

S303: When the second terminal device receives the first root key, determine the root key according to the first root key and the second root key.

The second root key may be stored in the memory of the second terminal device, for example, the second root key may be stored in the code segment of the second terminal device. The root key may refer to the root key issued by the network side. The root key may include two parts, namely the first root key and the second root key. Specifically, the root key is divided into the first root key. The division rule of the key and the second root key may be set in advance.

Specifically, the second terminal device can obtain the second root key from its own code segment, and when receiving the first root key sent by the first terminal device, the second terminal device can obtain the second root key according to the first root key and the first root key. The second root key determines the root key. For example, the second terminal device may perform corresponding combination processing on the first root key and the second root key based on the division rule of the first root key and the second root key. , to get the root key.

S304: The second terminal device uses the root key to decrypt the encrypted information to obtain anti-counterfeiting information, where the anti-counterfeiting information includes a UUID and a device activation certificate.

Wherein, the UUID and the device activation certificate may be stored in the second terminal device before the second terminal device leaves the factory by the manufacturer producing the second terminal device. The UUID may be used to uniquely identify the second terminal device, the device activation certificate (also referred to as manufacturer identification information) may refer to the identification information of the manufacturer producing the second terminal device, and the device activation certificate may be used to identify the second terminal The legitimacy of the device, for example, the device activation certificate may be the manufacturer's certificate or software token.

In addition, the encrypted information may be ciphertext encrypted by the anti-counterfeiting information, and the anti-counterfeiting information may refer to information used to identify the legitimacy of the second terminal device. When the encrypted information is obtained by separately encrypting the UUID and the device activation credential in the anti-counterfeiting information, the encrypted information may include the ciphertext encrypted by the UUID and the ciphertext encrypted by the device activation credential. At this time, the second The terminal device can use the root key to decrypt the ciphertext encrypted by the UUID and the ciphertext encrypted by the device activation credential, respectively, to obtain the plaintext of the UUID and the plaintext of the device activation credential, that is, to obtain the UUID and the device activation credential. certificate. When the encrypted information is obtained by encrypting the UUID and the device activation certificate in the anti-counterfeiting information as a whole, the encrypted information includes the encrypted ciphertext of the whole information, and the second terminal device can use the root key to decrypt The encrypted ciphertext of the overall information is obtained to obtain the plaintext of the UUID and the plaintext of the device activation certificate, that is, to obtain the UUID and the device activation certificate.

Optionally, when the network side directly uses the root key to encrypt the anti-counterfeiting information, the second terminal device can directly use the root key to decrypt the encrypted information; When the anti-counterfeiting information is used, the second terminal device can generate a derived key of the root key according to the same method on the network side, and use the derived key to decrypt the encrypted information.

S305: The second terminal device sends the UUID and the device activation certificate to the certificate server through the cloud server, so as to complete the activation of the second terminal device.

The second terminal device may establish a secure connection with the cloud server, so that the second terminal device may communicate directly with the cloud server. A secure connection can be established between the cloud server and the credential server, so that the cloud server and the credential server can communicate directly. The second terminal device may communicate with the credential server through the cloud server.

Specifically, the second terminal device may send the UUID and the device activation credential to the cloud server. When the cloud server receives the UUID and the device activation credential, the cloud server can check whether the UUID is registered. If the UUID is not registered, the cloud server can forward the UUID and the device activation certificate to the certificate server; if the UUID is registered, the cloud server can determine that the second terminal device is an illegal device, that is, the activation of the second terminal device is unsuccessful. . When the credential server receives the UUID and the device activation credential, the credential server can detect whether the device activation credential corresponding to the UUID matches the device activation credential bound to the UUID stored by itself. When the detection result of the credential server is a match, the credential server can determine that the second terminal device is a legitimate device, that is, the second terminal device is successfully activated; when the detection result of the credential server is a mismatch, the credential server can determine that the second terminal device is a Invalid device, that is, the activation of the second terminal device is unsuccessful.

Optionally, after determining that the second terminal device is a legitimate device, if the device activation certificate is a software token, the certificate server may also generate a new software token for the second terminal device, and send the new software token to the cloud. server; in addition, the credential server may also store the new software token as a device activation credential bound to the UUID of the second terminal device. When the cloud server receives the new software token, the cloud server can forward the new software token to the second terminal device, so that when the second terminal device receives the new software token, it can use the root key to encrypt the new software token, and store the encrypted ciphertext of the new software token.

Further, when the second terminal device needs to update the root key used to encrypt the anti-counterfeiting information, for example, when the update cycle is reached, the second terminal device resets the system or restores the factory settings, the second terminal device can randomly generate a password. key segment, for example, the second terminal device randomly generates a piece of random number information; the second terminal device uses the first root key to encrypt the random number information and the second root key to obtain a new second root key, the first root key The key and the new second root key constitute the updated root key. For example, if the first root key is ROT1, the second root key is ROT2, the random number information is rand, and the new second root key is ROT2', then ROT2'=encROT1(rand||ROT2), enc means Encryption, || means OR operation.

In the embodiment of the present application, after the second terminal device leaves the factory, when the user uses the second terminal device, the user can use the first terminal device to scan the device QR code on the body of the second terminal device to obtain the first root key, and determine the root key for decrypting the anti-counterfeiting information of the second terminal device according to the root key and the second root key, so as to use the root key to decrypt the anti-counterfeiting information to obtain the UUID and the device activation certificate, and then the second terminal device The UUID and the device activation credential may be sent to the network side to complete the activation of the second terminal device. Since the root key used to encrypt the anti-counterfeiting information of the second terminal device is divided into the first root key and the second root key, the first root key is steganographically steganographic in the image and embedded in the image printed on the second terminal device In the device two-dimensional code of the fuselage, the second root key is stored in the second terminal device, so that the security of the root key is improved by dispersing the root key in different locations of the second terminal device, This increases the difficulty for illegal elements to decipher the root key, thereby greatly reducing the risk of forging the second terminal device.

The foregoing mainly introduces the solutions provided by the embodiments of the present application from the perspective of interaction between various network elements. It can be understood that each network element, such as a terminal, in order to implement the above-mentioned functions, it includes corresponding hardware structures and/or software modules for performing each function. Those skilled in the art should easily realize that the present application can be implemented in the form of hardware, software or a combination of hardware and machine software with the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.

In this embodiment of the present application, the terminal may be divided into functional modules according to the foregoing method examples. For example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. It should be noted that, the division of modules in the embodiments of the present application is schematic, and is only a logical function division, and there may be other division manners in actual implementation. The following description will be given by taking as an example that each function module is divided corresponding to each function.

FIG. 7 shows a schematic structural diagram of a device anti-counterfeiting device involved in the above embodiment, and the device can implement the function of a cloud server in the method provided by the embodiment of the present application. The device may be a cloud server or a device that can support the cloud server to implement the functions of the cloud server in the embodiments of the present application, for example, the device is a chip system applied in the cloud server. The apparatus includes: a receiving unit 401 , a processing unit 402 and a sending unit 403 . The receiving unit 401 may be configured to support the apparatus to perform S201 in the above method embodiments, and/or other technical processes described herein; the processing unit 402 may be configured to support the apparatus to perform S202 and S203 in the above method embodiments ; The sending unit 403 may be configured to support the apparatus to perform S204 in the foregoing method embodiments. All relevant contents of the steps involved in the foregoing method embodiments can be cited in the functional descriptions of the corresponding functional modules, which will not be repeated here.

Optionally, in the embodiment of the present application, the chip system may be composed of chips, or may include chips and other discrete devices.

Optionally, the receiving unit 401 in this embodiment of the present application may be a circuit, a device, an interface, a bus, a software module, a transceiver, or any other device that can implement communication.

Optionally, the receiving unit 401 and the sending unit 403 may be a cloud server or a communication interface applied to a chip system in the cloud server. For example, the communication interface may be a transceiver circuit, and the processing unit 402 may be integrated in the cloud server or applied to the cloud server. On the processor of the system-on-a-chip in the cloud server.

FIG. 8 is a schematic diagram of a possible logical structure of the device anti-counterfeiting device involved in the above embodiment, and the device can implement the function of the cloud server in the method provided by the embodiment of the present application. The apparatus may be a cloud server or a chip system applied in the cloud server, and the apparatus includes: a processor 412 and a communication interface 413 . The processor 412 is configured to control and manage the actions of the device, for example, the processor 412 is configured to execute the steps of processing messages or data on the device side. For example, the apparatus is supported to perform steps S201 to S204 in the above-described method embodiments, and/or other processes for the techniques described herein. The communication interface 413 is used to support the device to communicate with other network elements. Optionally, the apparatus may further include a memory 411 for storing program codes and data of the apparatus.

The processor 412 may be a processor or a controller, such as a central processing unit, a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field programmable gate array, or other programmable logic devices, transistor logic devices, hardware components or any combination thereof. It may implement or execute various exemplary logical blocks, modules and circuits described in connection with the disclosure of the embodiments of this application. A processor may also be a combination that performs computing functions, such as a combination comprising one or more microprocessors, a combination of a digital signal processor and a microprocessor, and the like. The communication interface 412 may be a transceiver, a transceiver circuit, a communication interface, or the like. The memory 411 may be a high-speed random access memory or a non-volatile memory or the like.

Exemplarily, the communication interface 413, the processor 412 and the memory 411 are connected to each other through a bus 414; the bus 414 may be a PCI bus or an EISA bus or the like. The bus can be divided into address bus, data bus, control bus and so on. For ease of presentation, only one thick line is used in FIG. 8, but it does not mean that there is only one bus or one type of bus. Among them, the memory 411 is used to store the program codes and data of the device. The communication interface 413 is used to support the apparatus to communicate with other devices, and the processor 412 is used to enable the apparatus to execute program codes stored in the memory 411 to implement the steps in the methods provided by the embodiments of this application.

Alternatively, the memory 411 may be included in the processor 412 .

FIG. 9 shows a schematic structural diagram of a device anti-counterfeiting device involved in the above embodiment, and the device can implement the functions of the terminal device in the method provided by the embodiment of the present application. The apparatus may be a terminal device or a device that can support the terminal device to implement the functions of the terminal device in the embodiments of the present application, for example, the device is a chip system applied in the terminal device. The apparatus includes: a receiving unit 501 , a processing unit 502 and a sending unit 503 . Wherein, when the apparatus is used to implement the function of the second terminal device in the above method embodiment, the receiving unit 501 may be used to support the apparatus to perform the step of receiving the first root key sent by S302 in the above method embodiment; the processing unit 502 may be used to support the apparatus to perform S303 and S304 in the above method embodiments, and the sending unit 503 may be used to support the apparatus to perform the step of sending the updated second root key in the above method embodiments. When the apparatus is used to implement the function of the first terminal device in the above method embodiments, the processing unit 502 is used to support the apparatus to perform S301 in the above method embodiments; the sending unit 503 may be used to support the apparatus to perform the above method embodiments in S302. All relevant contents of the steps involved in the foregoing method embodiments can be cited in the functional descriptions of the corresponding functional modules, which will not be repeated here.

Optionally, the receiving unit 501 in this embodiment of the present application may be a circuit, a device, an interface, a bus, a software module, a transceiver, or any other device that can implement communication.

Optionally, the receiving unit 501 and the sending unit 503 may be a terminal device or a communication interface applied to a chip system in the terminal device. For example, the communication interface may be a transceiver circuit, and the processing unit 502 may be integrated in the terminal device or applied to the terminal device. on the processor of the system-on-a-chip in the terminal device.

FIG. 10 shows a schematic diagram of a possible logical structure of the device anti-counterfeiting device involved in the above embodiment, and the device can implement the function of the terminal device in the method provided by the embodiment of the present application. The apparatus may be a terminal device or a chip system applied in the terminal device, and the apparatus includes: a processor 512 and a communication interface 513 . The processor 512 is configured to control and manage the actions of the device. For example, the processor 512 is configured to execute the steps of processing messages or data on the device side. For example, when the apparatus is used to implement the functions of the second terminal device in the above method embodiments, the processor 512 may support the apparatus to perform steps S303 and S304 in the above method embodiments, and/or be used for the techniques described herein other processes; when the apparatus is used to implement the function of the first terminal device in the above method embodiment, the processor 512 may support the apparatus to perform step S301 in the above method embodiment. The communication interface 513 is used to support the device to communicate with other network elements. Optionally, the apparatus may further include a memory 511 for storing program codes and data of the apparatus.

The processor 512 may be a processor or a controller, such as a central processing unit, a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field programmable gate array, or other programmable logic devices, transistor logic devices, hardware components or any combination thereof. It may implement or execute various exemplary logical blocks, modules and circuits described in connection with the disclosure of the embodiments of this application. A processor may also be a combination that performs computing functions, such as a combination comprising one or more microprocessors, a combination of a digital signal processor and a microprocessor, and the like. The communication interface 512 may be a transceiver, a transceiver circuit, a communication interface, or the like. The memory 511 may be a high-speed random access memory or a non-volatile memory or the like.

Exemplarily, the communication interface 513, the processor 512 and the memory 511 are connected to each other through a bus 514; the bus 514 may be a PCI bus or an EISA bus or the like. The bus can be divided into address bus, data bus, control bus and so on. For ease of presentation, only one thick line is used in FIG. 10, but it does not mean that there is only one bus or one type of bus. Among them, the memory 511 is used to store the program codes and data of the device. The communication interface 513 is used for supporting the apparatus to communicate with other devices, and the processor 512 is used for enabling the apparatus to execute program codes stored in the memory 511 to implement the steps in the methods provided by the embodiments of the present application.

Optionally, the memory 511 may be included in the processor 512 .

Based on this, an embodiment of the present application further provides a communication system, which includes a credential server, a first terminal device and a second terminal device of a cloud server; wherein the cloud server is the cloud server provided in FIG. 7 or FIG. 8, and is used for executing The function of the cloud server in the method embodiment of the present application; the second terminal device is the terminal device provided in FIG. 9 or FIG. 10 , which is used to execute the function of the second terminal device in the method embodiment of the present application; the first terminal device is FIG. 9 Or the terminal device provided in FIG. 10 is configured to execute the function of the first terminal device in the method embodiment of the present application.

In this embodiment of the present application, the root key used to encrypt the anti-counterfeiting information of the terminal device is divided into a first root key and a second root key, and the first root key is steganographically written in the image and embedded in the printed In the device two-dimensional code of the terminal device body, the second root key is stored in the terminal device, so that the root key is distributed and stored in different locations of the terminal device, the security of the root key is improved, and the It is difficult for illegal elements to crack the root key, thereby greatly reducing the risk of counterfeiting terminal equipment.

The methods provided in the embodiments of the present application may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of the present application are generated. The computer may be a general purpose computer, special purpose computer, computer network, network appliance, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, optical fiber, digital subscriber line, DSL) or wireless (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available media that can be accessed by a computer, or a data storage device such as a server, data center, etc. that includes one or more available media integrated. The usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, digital video discs (DVDs)), or semiconductor media (eg, SSDs), and the like.

Based on such understanding, the embodiments of the present application further provide a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the computer-readable storage medium is run on a computer, the computer can execute the operation of the terminal in the foregoing method embodiments. one or more steps.

Embodiments of the present application also provide a computer program product containing instructions, which, when run on a computer, cause the computer to execute one or more steps of the terminal in the foregoing method embodiments.

Those of ordinary skill in the art can realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, for the specific working process of the above-described devices and units, reference may be made to the corresponding processes in the foregoing method embodiments, which will not be repeated here.

Finally, it should be noted that: the above are only specific embodiments of the present application, but the protection scope of the present application is not limited to this, and any changes or replacements within the technical scope disclosed in the present application should be covered by the present application. within the scope of protection of the application. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.

Claims

A device anti-counterfeiting method, characterized in that the method comprises:

The cloud server obtains a root key from the credential server, and the root key is used to encrypt the anti-counterfeiting information of the terminal device, and the anti-counterfeiting information includes the universal unique identifier UUID and the device activation certificate of the terminal device;

The cloud server encrypts the UUID and the device activation credential according to the root key to obtain encrypted information;

The cloud server steganographically writes a first root key into the device two-dimensional code of the terminal device, where the first root key is a partial key of the root key;

The cloud server sends the device QR code, the second root key, and the encrypted information, where the second root key is a partial key of the root key and the first root key. the root key.
The method according to claim 1, wherein an image is embedded in the two-dimensional code of the device, and the first root key is steganographically written in the image.
The method according to claim 1 or 2, wherein the second root key and the encrypted information are stored in the terminal device.
The method according to any one of claims 1-3, wherein the cloud server encrypts the UUID and the device activation credential according to the root key, comprising:

The cloud server directly encrypts the UUID and the device activation credential using the root key; or,

The cloud server encrypts the UUID and the device activation credential using a key derived from the root key.
The method according to any one of claims 1-4, wherein the method further comprises:

The cloud server generates the device two-dimensional code according to hardware information of the terminal device, where the hardware information includes a media intervention control MAC address and/or a device serial number.
The method according to any one of claims 1-5, wherein the device activation credential is a software token or a certificate.
The method according to any one of claims 1-6, wherein the terminal device is a smart home device.
A device anti-counterfeiting method, characterized in that the method comprises:

The second terminal device receives the first root key from the first terminal device, and the first root key is steganographically written in the device two-dimensional code of the second terminal device;

The second terminal device determines a root key according to the first root key and the second root key stored by itself;

The second terminal device decrypts the encrypted information corresponding to the anti-counterfeiting information of the second terminal device according to the root key to obtain the anti-counterfeiting information, and the anti-counterfeiting information includes a universal unique identification code UUID and a device activation certificate;

The second terminal device activates the second terminal device according to the UUID and the device activation credential.
The method according to claim 8, wherein the method further comprises:

When a preset update condition is satisfied, the second terminal device uses the first root key to update the second root key.
The method according to claim 9, wherein the method further comprises:

The second terminal device sends the second root key to the cloud server.
The method according to claim 9 or 10, wherein the preset update condition includes at least one of the following: the second terminal device is system reset, the second terminal device is restored to factory settings, the first The second terminal device receives the new device activation credential.
The method according to any one of claims 8-11, wherein an image is embedded in the device two-dimensional code, and the first root key is steganographically written in the image.
The method according to any one of claims 8-12, wherein the device two-dimensional code is generated based on hardware information of the second terminal device, and the hardware information includes a media intervention control MAC address and/or or the device serial number.
The method according to any one of claims 8-13, wherein the second terminal device uses the root key to decrypt the encrypted information corresponding to the anti-counterfeiting information of the second terminal device, comprising:

The second terminal device directly uses the root key to decrypt the encrypted information corresponding to the anti-counterfeiting information of the second terminal device; or,

The second terminal device directly uses the derived key of the root key to decrypt the encrypted information corresponding to the anti-counterfeiting information of the second terminal device.
The method according to any one of claims 8-14, wherein the device activation credential is a software token or a certificate.
The method according to any one of claims 8-15, wherein the second terminal device is a smart home device.
A device anti-counterfeiting method, characterized in that the method is applied in a communication system including a credential server, a cloud server and a terminal device;

Wherein, the credential server is used to assign a root key to the terminal device, the cloud server is used to execute the device anti-counterfeiting method according to any one of claims 1-7, and the terminal device is used to execute claim 8 - The device anti-counterfeiting method according to any one of 16.
A device anti-counterfeiting device, characterized in that the device includes a memory and a processor coupled to the memory, the memory stores codes, and the processor executes the codes in the memory so that the device executes claim 1 -7 The anti-counterfeiting method of any one of the devices.
A device anti-counterfeiting device, characterized in that the device comprises a memory and a processor coupled to the memory, the memory stores codes, and the processor executes the codes in the memory so that the device executes claim 8 - The device anti-counterfeiting method according to any one of 16.
A computer-readable storage medium storing instructions in the computer-readable storage medium, when running on a computer, causes the computer to execute the device anti-counterfeiting method according to any one of claims 1-16.
A computer program product, characterized in that, when the computer program product runs on a computer, the computer is made to execute the device anti-counterfeiting method according to any one of claims 1-16.