WO2022021433A1 - 设备接入认证的方法、终端设备和云平台 - Google Patents
设备接入认证的方法、终端设备和云平台 Download PDFInfo
- Publication number
- WO2022021433A1 WO2022021433A1 PCT/CN2020/106435 CN2020106435W WO2022021433A1 WO 2022021433 A1 WO2022021433 A1 WO 2022021433A1 CN 2020106435 W CN2020106435 W CN 2020106435W WO 2022021433 A1 WO2022021433 A1 WO 2022021433A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network
- cloud platform
- terminal device
- information
- platform
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 198
- 230000008569 process Effects 0.000 claims abstract description 40
- 238000004590 computer program Methods 0.000 claims description 41
- 238000000060 site-specific infrared dichroism spectroscopy Methods 0.000 claims description 37
- 238000012795 verification Methods 0.000 claims description 21
- 238000012360 testing method Methods 0.000 claims description 4
- 230000002708 enhancing effect Effects 0.000 abstract 1
- 230000006855 networking Effects 0.000 abstract 1
- 238000004891 communication Methods 0.000 description 47
- 230000006870 function Effects 0.000 description 26
- 238000010586 diagram Methods 0.000 description 21
- 238000001228 spectrum Methods 0.000 description 11
- 230000007774 longterm Effects 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 6
- 238000007726 management method Methods 0.000 description 5
- 230000001360 synchronised effect Effects 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000010295 mobile communication Methods 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 2
- 102100039250 Essential MCU regulator, mitochondrial Human genes 0.000 description 1
- 101000813097 Homo sapiens Essential MCU regulator, mitochondrial Proteins 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000004984 smart glass Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W48/00—Access restriction; Network selection; Access point selection
- H04W48/08—Access restriction or access information delivery, e.g. discovery data delivery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/73—Access point logical identity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/121—Timestamp
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/02—Terminal devices
- H04W88/04—Terminal devices adapted for relaying to or from another terminal or user
Definitions
- the present application relates to the field of communications, and more particularly, to a method for device access authentication, a terminal device, and a cloud platform.
- the equipment of the first manufacturer is required to be able to access the platform of the second manufacturer through configuration, so as to realize interconnection and intercommunication with the equipment of the platform of the second manufacturer.
- the device needs to have a unified configuration access protocol when it leaves the factory, so that the APP of the second manufacturer can configure the device, so that the device can enter the home network and access the platform.
- the device cannot perform access authentication, and can only perform access authentication after the device is configured to the network, which may lead to the possibility of leakage of private information such as home network information.
- the embodiments of the present application provide a device access authentication method, a terminal device, and a cloud platform, which can improve the security of the network distribution process.
- An embodiment of the present application provides a method for device access authentication, including:
- the terminal device receives the device authentication information corresponding to the device information of the device to be connected to the network from the first cloud platform;
- the terminal device receives the access authentication credential from the device to be connected to the network
- the terminal device uses the device authentication information to verify the access authentication credential.
- An embodiment of the present application provides a method for device access authentication, including:
- the first cloud platform receives the device information of the device to be connected to the network from the terminal device;
- the first cloud platform obtains device authentication information corresponding to the device information
- the first cloud platform sends the device authentication information to the terminal device, where the device authentication information is used to verify the access authentication credential from the device to be connected to the network at the terminal device.
- An embodiment of the present application provides a method for device access authentication, including:
- the second cloud platform receives the device information of the device to be connected to the network
- the second cloud platform obtains device authentication information corresponding to the device information
- the second cloud platform sends the device authentication information to the first cloud platform, so as to send the device authentication information to the terminal device through the first cloud platform, where the device authentication information is used to verify the device authentication information on the terminal device from the device to be connected to the network. Access authentication credentials for verification.
- An embodiment of the present application provides a method for device access authentication, including:
- the device to be connected to the network sends the access authentication certificate of the device to be connected to the network to the terminal device, so that the terminal device uses the device authentication information of the device to be connected to the network obtained from the cloud platform to verify the access authentication certificate.
- An embodiment of the present application provides a terminal device, including:
- a first receiving unit configured to receive device authentication information corresponding to the device information of the device to be connected to the network from the first cloud platform;
- a second receiving unit configured to receive the access authentication credential from the device to be connected to the network
- the device verification unit uses the device authentication information to verify the access authentication credential.
- Embodiments of the present application provide a first cloud platform, including:
- a receiving unit configured to receive the device information of the device to be connected to the network from the terminal device
- an acquisition unit configured to acquire device authentication information corresponding to the device information
- a sending unit configured to send the device authentication information to the terminal device, where the device authentication information is used to verify the access authentication credential from the device to be accessed at the terminal device.
- Embodiments of the present application provide a second cloud platform, including:
- a receiving unit configured to receive device information of the device to be connected to the network
- an acquisition unit configured to acquire device authentication information corresponding to the device information
- a sending unit configured to send the device authentication information to the first cloud platform, so as to send the device authentication information to the terminal device through the first cloud platform, where the device authentication information is used to verify the information from the device to be accessed on the terminal device. Access authentication credentials for verification.
- An embodiment of the present application provides a device to be connected to a network, including:
- the sending unit is configured to send the access authentication credential of the device to be connected to the network to the terminal device, so that the terminal device can use the device authentication information of the device to be connected to the network obtained from the cloud platform to verify the access authentication credential.
- An embodiment of the present application provides a terminal device, including a processor and a memory.
- the memory is used for storing a computer program
- the processor is used for calling and running the computer program stored in the memory, so that the terminal device executes the device access authentication method performed by the terminal device.
- Embodiments of the present application provide a cloud platform, including a processor and a memory.
- the memory is used to store a computer program
- the processor is used to call and run the computer program stored in the memory, so that the cloud platform executes the method for device access authentication performed by the first cloud platform or the second cloud platform.
- An embodiment of the present application provides a device to be connected to a network, including a processor and a memory.
- the memory is used to store a computer program
- the processor is used to call and run the computer program stored in the memory, so that the device to be connected to the network executes the device access authentication method performed by the device to be connected to the network.
- An embodiment of the present application provides a chip, which is used for implementing the foregoing method for device access authentication.
- the chip includes: a processor for calling and running a computer program from the memory, so that a device installed with the chip executes any of the above-mentioned methods for device access authentication.
- An embodiment of the present application provides a computer-readable storage medium for storing a computer program, and when the computer program is executed by a device, the device enables the device to perform any of the foregoing device access authentication methods.
- An embodiment of the present application provides a computer program product, including computer program instructions, and the computer program instructions cause a computer to execute any one of the foregoing device access authentication methods.
- An embodiment of the present application provides a computer program, which, when running on a computer, enables the computer to execute any one of the foregoing device access authentication methods.
- the terminal device obtains the device authentication information corresponding to the device information of the device to be connected to the network from the first cloud platform, and uses the device authentication information to verify the access authentication credential, which can be used to authenticate the device during the network distribution process. , first verify the device and then configure the network to improve security.
- FIG. 1 is a schematic diagram of an application scenario according to an embodiment of the present application.
- FIG. 2 is a schematic flowchart of a method for device access authentication according to an embodiment of the present application.
- FIG. 3 is a schematic flowchart of a method for device access authentication according to another embodiment of the present application.
- FIG. 4 is a schematic flowchart of a method for device access authentication according to another embodiment of the present application.
- FIG. 5 is a schematic flowchart of a method for device access authentication according to another embodiment of the present application.
- FIG. 6 is a schematic flowchart of a method for device access authentication according to another embodiment of the present application.
- FIG. 7 is a schematic flowchart of a method for device access authentication according to another embodiment of the present application.
- FIG. 8 is a schematic flowchart of a method for device access authentication according to another embodiment of the present application.
- FIG. 9 is a schematic flowchart of a method for device access authentication according to another embodiment of the present application.
- FIG. 10 is a schematic flowchart of a method for device access authentication according to another embodiment of the present application.
- FIG. 11 is a schematic flowchart of a method for device access authentication according to another embodiment of the present application.
- FIG. 12 is a schematic flowchart of a method for device access authentication according to another embodiment of the present application.
- FIG. 13 is a schematic diagram of a discovery process in a scenario.
- FIG. 14 is a schematic diagram of a network distribution process in a scenario.
- FIG. 15 is a schematic diagram of a flow of implementing access authentication in a device network configuration process.
- FIG. 16 is a schematic diagram of another process of implementing access authentication in a device network configuration process.
- FIG. 17 is a schematic block diagram of a terminal device according to an embodiment of the present application.
- FIG. 18 is a schematic block diagram of a terminal device according to another embodiment of the present application.
- FIG. 19 is a schematic block diagram of a first cloud platform according to an embodiment of the present application.
- FIG. 20 is a schematic block diagram of a second cloud platform according to an embodiment of the present application.
- FIG. 21 is a schematic block diagram of a device to be connected to a network according to an embodiment of the present application.
- FIG. 22 is a schematic block diagram of a device to be connected to a network according to another embodiment of the present application.
- FIG. 23 is a schematic block diagram of a communication device according to an embodiment of the present application.
- FIG. 24 is a schematic block diagram of a chip according to an embodiment of the present application.
- FIG. 25 is a schematic block diagram of a communication system according to an embodiment of the present application.
- GSM Global System of Mobile communication
- CDMA Code Division Multiple Access
- CDMA Wideband Code Division Multiple Access
- WCDMA Wideband Code Division Multiple Access
- GPRS General Packet Radio Service
- LTE Long Term Evolution
- LTE-A Advanced Long Term Evolution
- NR New Radio
- NTN Non-Terrestrial Networks
- UMTS Universal Mobile Telecommunication System
- WLAN Wireless Local Area Networks
- Wireless Fidelity Wireless Fidelity
- WiFi fifth-generation communication
- D2D Device to Device
- M2M Machine to Machine
- MTC Machine Type Communication
- V2V Vehicle to Vehicle
- V2X Vehicle to everything
- the communication system in this embodiment of the present application may be applied to a carrier aggregation (Carrier Aggregation, CA) scenario, a dual connectivity (Dual Connectivity, DC) scenario, or a standalone (Standalone, SA) distribution. web scene.
- Carrier Aggregation, CA Carrier Aggregation, CA
- DC Dual Connectivity
- SA standalone
- the communication system in the embodiment of the present application may be applied to an unlicensed spectrum, where the unlicensed spectrum may also be considered as a shared spectrum; or, the communication system in the embodiment of the present application may also be applied to a licensed spectrum, where, Licensed spectrum can also be considered unshared spectrum.
- the embodiments of the present application describe various embodiments in conjunction with network equipment and terminal equipment, where the terminal equipment may also be referred to as user equipment (User Equipment, UE), access terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent or user device, etc.
- user equipment User Equipment, UE
- access terminal subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent or user device, etc.
- the terminal device can be a station (STAION, ST) in the WLAN, can be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, a personal digital processing (Personal Digital Assistant, PDA) devices, handheld devices with wireless communication capabilities, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, next-generation communication systems such as end devices in NR networks, or future Terminal equipment in the evolved public land mobile network (Public Land Mobile Network, PLMN) network, etc.
- STAION, ST in the WLAN
- SIP Session Initiation Protocol
- WLL Wireless Local Loop
- PDA Personal Digital Assistant
- the terminal device can be deployed on land, including indoor or outdoor, handheld, wearable, or vehicle-mounted; it can also be deployed on water (such as ships, etc.); it can also be deployed in the air (such as airplanes, balloons, and satellites) superior).
- the terminal device may be a mobile phone (Mobile Phone), a tablet computer (Pad), a computer with a wireless transceiver function, a virtual reality (Virtual Reality, VR) terminal device, and an augmented reality (Augmented Reality, AR) terminal Equipment, wireless terminal equipment in industrial control, wireless terminal equipment in self driving, wireless terminal equipment in remote medical, wireless terminal equipment in smart grid , wireless terminal equipment in transportation safety, wireless terminal equipment in smart city or wireless terminal equipment in smart home, etc.
- a mobile phone Mobile Phone
- a tablet computer Pad
- a computer with a wireless transceiver function a virtual reality (Virtual Reality, VR) terminal device
- augmented reality (Augmented Reality, AR) terminal Equipment wireless terminal equipment in industrial control, wireless terminal equipment in self driving, wireless terminal equipment in remote medical, wireless terminal equipment in smart grid , wireless terminal equipment in transportation safety, wireless terminal equipment in smart city or wireless terminal equipment in smart home, etc.
- the terminal device may also be a wearable device.
- Wearable devices can also be called wearable smart devices, which are the general term for the intelligent design of daily wear and the development of wearable devices using wearable technology, such as glasses, gloves, watches, clothing and shoes.
- a wearable device is a portable device that is worn directly on the body or integrated into the user's clothing or accessories. Wearable device is not only a hardware device, but also realizes powerful functions through software support, data interaction, and cloud interaction.
- wearable smart devices include full-featured, large-scale, complete or partial functions without relying on smart phones, such as smart watches or smart glasses, and only focus on a certain type of application function, which needs to cooperate with other devices such as smart phones.
- the network device may be a device for communicating with a mobile device, and the network device may be an access point (Access Point, AP) in WLAN, or a base station (Base Transceiver Station, BTS) in GSM or CDMA , it can also be a base station (NodeB, NB) in WCDMA, it can also be an evolved base station (Evolutional Node B, eNB or eNodeB) in LTE, or a relay station or access point, or in-vehicle equipment, wearable devices and NR networks
- the network device may have a mobile feature, for example, the network device may be a mobile device.
- the network device may be a satellite or a balloon station.
- the satellite may be a low earth orbit (LEO) satellite, a medium earth orbit (MEO) satellite, a geostationary earth orbit (GEO) satellite, a High Elliptical Orbit (HEO) ) satellite etc.
- the network device may also be a base station set in a location such as land or water.
- a network device may provide services for a cell, and a terminal device communicates with the network device through transmission resources (for example, frequency domain resources, or spectrum resources) used by the cell, and the cell may be a network device (
- the cell can belong to the macro base station, or it can belong to the base station corresponding to the small cell (Small cell).
- Pico cell Femto cell (Femto cell), etc.
- These small cells have the characteristics of small coverage and low transmission power, and are suitable for providing high-speed data transmission services.
- FIG. 1 exemplarily shows a communication system 100 .
- the communication system includes one network device 110 and two terminal devices 120 .
- the communication system 100 may include multiple network devices 110, and the coverage of each network device 110 may include other numbers of terminal devices 120, which are not limited in this embodiment of the present application.
- the communication system 100 may further include other network entities such as a mobility management entity (Mobility Management Entity, MME), an access and mobility management function (Access and Mobility Management Function, AMF), to which the embodiments of the present application Not limited.
- MME Mobility Management Entity
- AMF Access and Mobility Management Function
- the network equipment may further include access network equipment and core network equipment. That is, the wireless communication system further includes a plurality of core networks for communicating with the access network equipment.
- the access network equipment may be a long-term evolution (long-term evolution, LTE) system, a next-generation (mobile communication system) (next radio, NR) system, or an authorized auxiliary access long-term evolution (authorized auxiliary access long-term evolution, LAA-
- the evolved base station (evolutional node B, may be referred to as eNB or e-NodeB for short) in the LTE) system is a macro base station, a micro base station (also called a "small base station"), a pico base station, an access point (AP), Transmission site (transmission point, TP) or new generation base station (new generation Node B, gNodeB), etc.
- a device having a communication function in the network/system may be referred to as a communication device.
- the communication device may include a network device and a terminal device with a communication function, and the network device and the terminal device may be the specific devices in this embodiment of the application, which will not be repeated here; the communication device It may also include other devices in the communication system, for example, other network entities such as a network controller and a mobility management entity, which are not limited in this embodiment of the present application.
- the "instruction" mentioned in the embodiments of the present application may be a direct instruction, an indirect instruction, or an associated relationship.
- a indicates B it can indicate that A directly indicates B, for example, B can be obtained through A; it can also indicate that A indicates B indirectly, such as A indicates C, and B can be obtained through C; it can also indicate that there is an association between A and B relation.
- corresponding may indicate that there is a direct or indirect corresponding relationship between the two, or may indicate that there is an associated relationship between the two, or indicate and be instructed, configure and be instructed configuration, etc.
- FIG. 2 is a schematic flowchart of a method 200 for device access authentication according to an embodiment of the present application.
- the method can optionally be applied to the system shown in Figure 1, but is not limited thereto.
- the method includes at least some of the following.
- the terminal device receives device authentication information corresponding to the device information of the device to be connected to the network from the first cloud platform;
- the terminal device receives the access authentication credential from the device to be connected to the network
- the terminal device verifies the access authentication credential by using the device authentication information.
- the first cloud platform may be a cloud platform directly connected to the terminal device.
- the first cloud platform may be a cloud platform of a manufacturer of the terminal device, and the first cloud platform includes device authentication information provided by the manufacturer of the terminal device.
- the first cloud platform may also be a cloud platform that integrates device authentication information of multiple manufacturers.
- the terminal device may obtain device authentication information corresponding to the device information of the device to be connected to the network from the first cloud platform.
- the device authentication information can be used to verify whether the device is legal.
- the terminal device may also obtain the access authentication credential of the device to be connected to the network from the device to be connected to the network. Then, the access authentication credential is checked by using the device authentication information to determine whether the device to be accessed is legal. If it is legal, perform subsequent network distribution operations.
- the method further includes:
- the terminal device receives device information from the device to be connected to the network
- the terminal device sends the device information of the device to be connected to the network to the first cloud platform.
- the terminal device may send the device information to the first cloud platform, and then execute S210 to S230.
- the terminal device receives the device information from the device to be connected to the network, including: the terminal device receives a service set identifier (Service Set Identifier, SSID) broadcast from the device to be connected to the network,
- the device information in the SSID includes at least one of manufacturer information and product information.
- the manufacturer information may include a manufacturer name, a manufacturer number, and the like.
- Product information may include product name and product serial number, etc.
- the device to be connected to the network may carry some device information in an information element (Information Element, IE) attached to the SSID broadcast beacon (Beacon) frame.
- Information Element Information Element
- Beacon SSID broadcast beacon
- a terminal device After a terminal device receives the SSID broadcast, it parses and obtains the discovery field, and can obtain device information such as the device's manufacturer name, product name, and product serial number.
- the terminal device can present the manufacturer name, product name, etc. to the user, and the user can use the terminal device to determine whether to initiate device configuration. If the initiating device configuration is confirmed, and the terminal device establishes or maintains a secure connection with the first cloud platform, the terminal device may acquire device authentication information corresponding to the device information from the first cloud platform.
- the terminal device sends the device information of the device to be connected to the network to the first cloud platform, including: when the terminal device is in a secure connection with the first cloud platform, the terminal device The device sends an authentication information acquisition request to the first cloud platform, where the authentication information acquisition request includes product information of the device to be connected to the network.
- S210 the terminal device receiving the device authentication information corresponding to the device information from the first cloud platform, includes: the terminal device receiving the product information corresponding to the product information from the first cloud platform. Device authentication information.
- the authentication information acquisition request sent by the terminal device to the first cloud platform includes product information such as the product name and product serial number of the device to be connected to the network.
- product information such as the product name and product serial number of the device to be connected to the network.
- the terminal device sends the device information of the device to be connected to the network to the first cloud platform, including: when the terminal device is in a secure connection with the first cloud platform, the terminal device The device sends an authentication information acquisition request to the first cloud platform, and the authentication information acquisition request includes manufacturer information and product information of the device to be connected to the network; wherein the manufacturer information corresponds to the second cloud platform, and the product information corresponds to the device authentication information correspond.
- the first cloud platform cannot find the device authentication information of the device to be connected to the network, it can also search in the second cloud platform.
- the first cloud platform can be connected to one or more second cloud platforms.
- the first cloud platform may decide to which second cloud platform to send the authentication information acquisition request according to the manufacturer information.
- the terminal device receives the device authentication information corresponding to the device information of the device to be connected to the network from the first cloud platform, including: the terminal device receives the product information corresponding to the product information from the first cloud platform.
- the device authentication information corresponding to the product information is obtained by the first cloud platform from the second cloud platform corresponding to the manufacturer information.
- the first cloud platform may also be connected to one or more second cloud platforms, and each second cloud platform may correspond to different manufacturer information.
- the device information of the device to be connected to the network may be located on a certain second cloud platform.
- the terminal device sends the authentication information acquisition request to the first cloud platform, if the device authentication information corresponding to the product information cannot be found in the first cloud platform, it can search in the second cloud platform. If the authentication information acquisition request received by the first cloud platform includes the manufacturer information of the device to be connected to the network, the first cloud platform may decide to which second cloud platform to send the authentication information acquisition request according to the manufacturer information.
- the first cloud platform searches for the second cloud platform corresponding to the manufacturer information, then sends the product information to the found second cloud platform through the authentication information acquisition request, and searches the second cloud platform for device authentication information corresponding to the product information. Then, the second cloud platform returns the device authentication information corresponding to the found product information to the terminal device through the first cloud platform.
- the method further includes: S130 , the terminal device joins the device to be connected to the network The Soft Access Point (Soft Access Point, SoftAP). This step may be performed after the terminal device in S210 receives the device authentication information corresponding to the device information of the device to be connected to the network from the first cloud platform.
- SoftAP Soft Access Point
- the terminal device after the terminal device sends the device information of the device to be connected to the network to the first cloud platform and receives the device authentication information returned by the first cloud platform, if the user determines to initiate the device configuration, the terminal device can join the SoftAP of the device to be connected to the network. , and establish a secure connection with the first cloud platform.
- the method further includes a step of verifying whether the cloud platform is legal, which may specifically include the following methods:
- Method 1 Check whether the cloud platform is legal through platform credentials, see Figure 4.
- the terminal device joins the SoftAP of the device to be connected to the network, and after the terminal device establishes a secure connection with the device to be connected to the network, the method further includes: S140, the terminal device sends The device to be connected to the network sends the platform certificate of the first cloud platform to verify whether the first cloud platform is legal.
- the terminal device joins the SoftAP of the device to be connected to the network, and after the terminal device establishes a secure connection with the device to be connected to the network, the method further includes: S150, the terminal device sends The device to be connected to the network sends the platform certificate of the second cloud platform to verify whether the second cloud platform is legal.
- the platform credential includes a timestamp or a serial number. Timestamps or serial numbers prevent platform credentials from being reused.
- Method 2 Check whether the cloud platform is legal through an implicit method, see Figure 5.
- the terminal device receives the access authentication credential from the device to be connected to the network, including: S221, the terminal device receives the encrypted access authentication credential from the device to be connected to the network;
- the method further includes: S222, the terminal device decrypts the encrypted access authentication credential by using the platform decryption information, sends the decrypted data to the device to be connected to the network, and the device to be connected to the network verifies whether the decryption is successful, wherein,
- the cloud platform corresponding to the platform decryption information that has been successfully decrypted is a legal platform.
- the subsequent steps S220 and S230 may be performed again when the cloud platform is legal.
- the second manner it is possible to verify whether the cloud platform is legal during the process of S220.
- the terminal device receives the access authentication credential from the device to be connected to the network, including: when the verified cloud platform is legal, the terminal device receives the access authentication certificate from the device to be connected to the network.
- the access authentication request includes the access authentication credential.
- the terminal device uses the device authentication information to verify the access authentication credential, including: the terminal device uses the device authentication information to verify the access authentication credential, Determine whether the device to be connected to the network is a legitimate device.
- the method further includes: S240.
- the terminal device configures the device to be connected to the network by using configuration information from the device,
- the device configuration information is obtained from the first cloud platform or the second cloud platform.
- device configuration information may include device identification (ID), certificates, keys, and the like.
- FIG. 6 is a schematic flowchart of a method 300 for device access authentication according to another embodiment of the present application.
- the method can optionally be applied to the system shown in Figure 1, but is not limited thereto.
- the method includes at least some of the following.
- the first cloud platform receives the device information of the device to be connected to the network from the terminal device.
- the first cloud platform obtains device authentication information corresponding to the device information
- the first cloud platform sends the device authentication information to the terminal device, where the device authentication information is used to verify the access authentication credential from the device to be connected to the network at the terminal device.
- the first cloud platform receives the device information of the device to be connected to the network from the terminal device, including: when the terminal device and the first cloud platform are in a secure connection, the first cloud platform The cloud platform receives an authentication information acquisition request from the terminal device, where the authentication information acquisition request includes product information of the device to be connected to the network.
- the first cloud platform sending the device authentication information to the terminal device includes: the first cloud platform sending the device authentication information corresponding to the product information to the terminal device.
- the method further includes: S340, the first cloud platform sends the platform credential of the first cloud platform to the terminal device. Then, the terminal device can send the platform credentials of the first cloud platform to the device to be connected to the network, and the device to be connected to the network can verify whether the first cloud platform is legal. If it is legal, the device to be connected to the network sends its own access authentication credential to the terminal device, and the terminal device uses the device authentication information obtained from the first cloud platform to verify the access authentication credential from the device to be connected to the network.
- the first cloud platform may be connected to one or more second cloud platforms, and the device information of the device to be connected to the network may be located on a certain second cloud platform.
- the first cloud platform receives the device information of the device to be connected to the network from the terminal device, including: S311 , in the case that the terminal device and the first cloud platform are in a secure connection, the first cloud platform receives A first authentication information acquisition request from the terminal device, where the first authentication information acquisition request includes manufacturer information and product information of the device to be connected to the network.
- the first cloud platform if the first cloud platform does not have the device authentication information of the device to be connected to the network, it can be searched in the second cloud platform.
- the first cloud platform obtains the device authentication information corresponding to the device information, and further includes:
- the first cloud platform sends a second authentication information acquisition request to the second cloud platform corresponding to the manufacturer information, where the second authentication information acquisition request includes the product information;
- the first cloud platform receives the device authentication information corresponding to the product information from the second cloud platform.
- S330 the first cloud platform sending the device authentication information to the terminal device, includes: S331, the first cloud platform sending the terminal device the obtained from the second cloud platform The device certification information corresponding to the product information.
- the method further includes:
- the first cloud platform receives the platform credential of the second cloud platform
- the first cloud platform sends the platform credentials of the second cloud platform to the terminal device.
- the method further includes:
- the first cloud platform generates or obtains the device configuration information of the device to be connected to the network from the second cloud platform;
- the first cloud platform sends the device configuration information to the terminal device.
- the sequence between the steps of the first cloud platform acquiring the device authentication information, the platform credentials, and the device configuration information from the second cloud platform is not limited, and it may have a sequential order or be performed simultaneously.
- the sequence between the steps in which the first cloud platform sends the device authentication information, the platform credential, and the device configuration information to the terminal device is not limited, and may be in a sequential order, or may be performed simultaneously.
- the first cloud platform simultaneously receives device authentication information from the second cloud platform, platform credentials of the second cloud platform, and device configuration information. Then the first cloud platform sends the device authentication information, the platform credentials of the second cloud platform and the device configuration information to the terminal device.
- the first cloud platform first obtains device authentication information from the second cloud platform.
- the device authentication information is sent to the terminal device.
- the first cloud platform obtains the platform credentials and device configuration information from the second cloud platform, and sends the platform credentials and device configuration information to the terminal device.
- first cloud platform execution method 300 for specific explanations and examples of the first cloud platform execution method 300 in this embodiment, reference may be made to the relevant description of the first cloud platform in the foregoing method 200, which is not repeated here for brevity.
- FIG. 9 is a schematic flowchart of a method 400 for device access authentication according to another embodiment of the present application.
- the method can optionally be applied to the system shown in Figure 1, but is not limited thereto.
- the method includes at least some of the following.
- the second cloud platform receives the device information of the device to be connected to the network
- the second cloud platform obtains device authentication information corresponding to the device information
- the second cloud platform sends the device authentication information to the first cloud platform, so as to send the device authentication information to the terminal device through the first cloud platform, where the device authentication information is used to authenticate the data from the to-be-connected network on the terminal device.
- the access authentication credentials of the device are verified.
- the second cloud platform receiving the device information of the device to be connected to the network includes: the second cloud platform receiving an authentication information acquisition request from the first cloud platform, where the authentication information acquisition request includes The product information of the device to be connected to the network; and the second cloud platform acquiring the device authentication information corresponding to the device information includes: acquiring the device authentication information corresponding to the product information by the second cloud platform.
- the method further includes:
- the second cloud platform sends platform credentials and/or device configuration information to the first cloud platform.
- FIG. 10 is a schematic flowchart of a method 500 for device access authentication according to another embodiment of the present application.
- the method can optionally be applied to the system shown in Figure 1, but is not limited thereto.
- the method includes at least some of the following.
- the device to be connected to the network sends the access authentication credential of the device to be connected to the network to the terminal device, so that the terminal device uses the device authentication information of the device to be connected to the network obtained from the cloud platform to verify the access authentication credential.
- the method further includes: verifying, by the device to be connected to the network, whether the cloud platform is a legal platform.
- the method for verifying the cloud platform of the device to be connected to the network may include:
- Method 1 Check whether the cloud platform is legal through platform credentials, see Figure 11.
- the device to be connected to the network checks whether the cloud platform is a legal platform, including:
- the device to be connected to the network receives the platform certificate
- the device to be connected to the network verifies whether the cloud platform is legal based on the platform credential.
- the step of S510 is performed in which the device to be connected to the network sends the access authentication credential of the device to be connected to the terminal device to the terminal device.
- the device to be connected to the network receives the platform certificate of the first cloud platform, it can check whether the platform certificate of the first cloud platform is legal. If the device to be connected to the network receives the platform certificate of the second cloud platform, it can verify whether the platform certificate of the second cloud platform is legal.
- the second cloud platform can send its own platform credentials to the first cloud platform, the first cloud platform sends it to the terminal device, and then the terminal device sends it to the device to be connected to the network for verification.
- Method 2 Check whether the cloud platform is legal through an implicit method, see Figure 12.
- the device to be connected to the network checks whether the cloud platform is a legal platform, including:
- the device to be connected to the network sends the encrypted access authentication credential to the terminal device; this step may replace S510.
- the device to be connected to the network receives the decrypted data from the terminal device, where the decrypted data is the data obtained by the terminal device decrypting the access authentication credential based on the platform decryption information;
- the device to be connected to the network checks whether the decryption is successful based on the decrypted data, wherein the cloud platform corresponding to the platform decryption information of the successfully decrypted platform is a legal platform.
- the device to be connected to the network before the device to be connected to the network sends the access authentication credential of the device to be connected to the network, it includes: confirming that the terminal device joins the SoftAP of the device to be connected to the network, and the device to be connected to the network is connected to the terminal. The device establishes a secure connection.
- the method further includes: the device to be connected to the network broadcasts a service
- the set identifier SSID, the device information of the device to be connected to the network in the SSID includes at least one of manufacturer information and product information.
- the SoftAP network configuration process includes the following processes:
- Device discovery can be performed according to the SSID in the WiFi (Wireless Fidelity, Wireless Fidelity) beacon (Beacon) frame message. This method can be used for a mobile phone (Application, APP) to discover a device to be connected to the network (also referred to as an application terminal).
- WiFi Wireless Fidelity, Wireless Fidelity
- Beacon Beacon
- This method can be used for a mobile phone (Application, APP) to discover a device to be connected to the network (also referred to as an application terminal).
- Distribution network equipment It can also be called a control terminal, such as mobile phone APP, smart large screen (such as smart TV, tablet computer), etc., which can display the searched AP (Access Point, access point) information.
- a control terminal such as mobile phone APP, smart large screen (such as smart TV, tablet computer), etc., which can display the searched AP (Access Point, access point) information.
- AP Access Point, access point
- the SSID field in the WiFi Beacon frame needs to be set to the following discovery field.
- the device to be connected to the network also referred to as an application terminal enters the SoftAP mode.
- the distribution network device also known as the control terminal starts scanning, and after receiving the WiFi Beacon frame, it can find application terminals such as smart WiFi home devices by parsing the SSID field in the WiFi Beacon frame. Device discovery prompts are available.
- the SSID naming rule may be: UCCx-AAAA-BBBB-y-z[DDDD], see the following table for the specific meaning:
- the SoftAP network distribution process is to use the distribution network equipment (or called configuration equipment, control terminal, terminal equipment, etc.) to connect the open SoftAP of the application terminal, and conduct security negotiation and data configuration through the IP network between the two.
- distribution network equipment or called configuration equipment, control terminal, terminal equipment, etc.
- the network distribution device After the network distribution device discovers the application terminal, it parses the discovery field in the Beacon broadcast message of the application terminal, presents the device-related information, and prompts the user for confirmation, inputting or scanning the distribution PIN code, etc.
- the flowchart is shown in Figure 14:
- the distribution network device scans the SSID of the above SoftAP, confirms that the SSID conforms to the specified format, and connects to the SoftAP.
- the distribution network device establishes a TCP (Transmission Control Protocol) connection with the device to be connected to the network.
- TCP Transmission Control Protocol
- the network distribution device sends a request for obtaining the information of the device to be connected to the network to the device to be connected to the network. After the device to be connected to the network enters the configuration mode, it can scan the SSID of the accessible AP according to a certain period (10s).
- the device to be connected to the network sends the information of the device to be connected to the network to the network configuration device, for example, including: the SSID of the accessible AP scanned by the device to be connected to the network, the signal strength of the AP, and the like.
- the network configuration device sends the configuration network access information to the network access device, for example, including: the SSID and authentication information of the selected access AP.
- the distribution network device disconnects the Soft-AP connection.
- the device to be connected to the network closes the Soft-AP and accesses the selected Wi-Fi hotspot according to the above configured network access information.
- the configuration process requires access to the SoftAP network and disconnects from the home network and the Internet.
- the device cannot perform access authentication, but performing access authentication after the device is configured to the network may leak private information such as home network information, which is insecure.
- the cloud platform can be used to authenticate the device to be connected to the network, thereby improving security.
- the method for device access authentication provided by the present application may be a method for device access authentication during the SoftAP network configuration process.
- the method may include: the mobile phone obtains device authentication information from the cloud through the acquired device information before connecting to the device, and then connects to the device SoftAP for device authentication and configuration. If the cloud platform (first cloud platform) directly connected to the mobile phone does not have device authentication information, the device authentication information can be obtained from the second cloud platform through cloud-cloud interconnection.
- device authentication can be in a non-binding manner.
- the certificate system of the first manufacturer and the certificate system of the second manufacturer are mutually recognized or issued by a unified root CA.
- the equipment from the second manufacturer does not necessarily need to be authenticated through the platform of the second manufacturer.
- the equipment of the second manufacturer can be authenticated through the unified cloud platform or the platform of the first manufacturer.
- the device certificate of the second manufacturer can be authenticated by the platform of the first manufacturer, and the device of the second manufacturer can also authenticate the platform certificate of the platform of the first manufacturer.
- the device to be connected to the network may be referred to as a device, an example of a network configuration device is a mobile phone, and the cloud platform may be referred to as a cloud.
- the mobile phone is from the first manufacturer
- the device to be connected to the network is from the second manufacturer
- the cloud platform connected to the mobile phone is used to authenticate the device to be connected to the network as an example for description.
- the specific operation steps of the process of implementing access authentication during the device network configuration process may include:
- the device to be connected to the network broadcasts the SSID, and the SSID includes the manufacturer's name, product name and product serial number of the device. Part of the information can also be carried in the IE attached to the SSID broadcast beacon (Beacon) frame.
- Beacon broadcast beacon
- the mobile phone After the mobile phone discovers the device, it parses the discovery field in the Beacon frame (or Beacon broadcast message) of the device to obtain the manufacturer name, product name and product serial number of the device.
- the Beacon frame or Beacon broadcast message
- the user triggers the connection of the device.
- the mobile phone presents the manufacturer name and product name of the device to the user, and the user determines and initiates device configuration.
- the mobile phone establishes a secure connection with the cloud platform. If the mobile phone and the cloud platform have always maintained a secure connection, there is no need to re-establish the connection).
- the mobile phone initiates a request to the cloud platform to obtain device authentication information, and the request carries the product name and product serial number of the device.
- the cloud platform finds the certification information corresponding to the device according to the product name and product serial number of the device, including the certification certificate or related certificate issued after the device has passed the unified test certification.
- the cloud platform generates device configuration information such as a device ID, a certificate, and a key, which is used for the interconnection between the distribution network device and other devices on the platform.
- the cloud platform returns the device authentication information and configuration information to the mobile phone.
- step S19 If the user trigger in step S13 is not implemented, optionally, in this step, a user trigger to connect the device may be implemented.
- the mobile phone After receiving the device authentication and configuration information returned by the cloud platform, the mobile phone presents the device manufacturer name and product name to the user, and the user determines to initiate device configuration.
- the mobile phone joins the SoftAP of the device and establishes a secure connection.
- the mobile phone initiates platform authentication to the device, carrying the authentication certificate of the cloud platform, which can be kept in the mobile phone or issued by the platform in step 6.
- This certificate is used to indicate the legal identity of the platform.
- a unified authentication certificate can be used. For example, all platforms use the same platform certificate.
- Each platform can also have its own independent certificate, which is certified by a unified mechanism.
- the certificate of each platform is signed by a unified CA, and the validity of the platform certificate can be verified by the signature of the certification root CA.
- the device checks the authentication certificate of the platform, and judges that it is a legal platform.
- the device initiates an access authentication request to the mobile phone, carrying the access authentication credential of the device.
- the mobile phone uses the device authentication information obtained from the cloud platform to verify the access credential of the device, and determines that it is a legitimate device.
- the mobile phone configures the device using the configuration information obtained from the cloud platform.
- the mobile phone configures the network access information of the device, such as the network access SSID and password, to enable the device to access the home network.
- the network access information of the device such as the network access SSID and password
- the device After the device is connected to the home network, it can use the configured device ID, security key, certificate and other configuration information to access the cloud platform or communicate with other devices in the network.
- the device-to-platform authentication in steps S21-S22 may also adopt an implicit authentication method.
- the device authentication request transmits the device authentication credential in an encrypted manner, which can only be decrypted by a legitimate platform. Subsequent configuration information must contain decrypted information.
- the device can authenticate the legitimacy of the platform by successfully decrypting the platform.
- device authentication can be in a binding manner.
- the platform of the first manufacturer cannot directly authenticate the equipment of the second manufacturer.
- the equipment of the second manufacturer needs to pass the platform of the second manufacturer to be authenticated.
- the device of the second manufacturer is preset with an authentication key, and a copy of the key is also stored on the platform of the second manufacturer.
- the platform of the first manufacturer can complete the authentication of the equipment of the second manufacturer only by obtaining the authentication key of the equipment from the platform of the second manufacturer.
- the device to be connected to the network may be referred to as a device for short, and an example of a network distribution device is a mobile phone, the mobile phone is from the first manufacturer, and is connected to the cloud platform A of the first manufacturer.
- the device to be connected to the network comes from the second manufacturer, and the cloud platform of the second manufacturer is cloud platform B.
- the specific operation steps of implementing the flow of access authentication in the device network configuration process may include:
- the device to be connected to the network broadcasts the SSID
- the SSID includes the manufacturer name, product name and product serial number of the device.
- Part of the information can also be carried in the IE attached to the SSID broadcast Beacon frame.
- the mobile phone After the mobile phone discovers the device, it parses the discovery field in the Beacon broadcast message of the device to obtain the manufacturer name, product name and product serial number of the device.
- the mobile phone presents the manufacturer name and product name of the device to the user, and the user determines to initiate device configuration.
- the mobile phone establishes a secure connection with the cloud platform A, for example, the cloud platform of the mobile phone (it is also possible that the mobile phone and the cloud platform A have always maintained a secure connection, and the connection does not need to be re-established).
- the cloud platform A for example, the cloud platform of the mobile phone
- the mobile phone initiates a request to the cloud platform A to obtain the device authentication information, and the request carries the manufacturer name, product name and product serial number of the device.
- the cloud platform A finds the cloud platform B corresponding to the device, such as the cloud platform of the device, according to the manufacturer name of the device.
- the cloud platform A and the cloud platform B establish a secure connection (it is also possible that the cloud platform A and the cloud platform B maintain a secure connection all the time, and there is no need to re-establish the connection).
- Cloud platform A initiates a request to cloud platform B to obtain device authentication information, and the request carries the product name and product serial number of the device.
- the cloud platform B finds the certification information corresponding to the device according to the product name and product serial number of the device, including the certification certificate or related certificate issued after the device has passed the unified test certification.
- the cloud platform B generates a platform authentication certificate, which is used for the device authentication platform.
- the platform authentication credential may contain a timestamp to indicate a valid time range for the credential, or a serial number to indicate that the credential is valid only this time.
- the cloud platform B generates device configuration information such as a device ID, a certificate, and a key, which is used to configure the device to communicate with other devices of the platform B.
- the cloud platform B returns the device authentication information, the platform authentication credential and the configuration information to the cloud platform A.
- the cloud platform A generates device configuration information such as a device ID, a certificate, and a key, which is used to configure the device to communicate with other devices of the platform A.
- the cloud platform A returns the device authentication information, the platform authentication credential and the configuration information to the mobile phone.
- step 3 If the user trigger in step 3 is not implemented, optionally, after receiving the device authentication and configuration information returned by the cloud platform A, the mobile phone presents the device manufacturer name and product name to the user, and the user determines to initiate device configuration.
- the mobile phone joins the SoftAP of the device and establishes a secure connection.
- the mobile phone initiates platform authentication to the device, and carries the authentication certificate of the platform.
- This credential is used to indicate the legal identity of the platform.
- the device verifies the authentication certificate of the platform, and the validity of the verification time stamp or serial number, and judges that it is a legitimate platform.
- the device initiates an access authentication request to the mobile phone, carrying the access authentication credential of the device.
- the mobile phone uses the device authentication information obtained from the cloud platform to verify the access credential of the device, and determines that it is a legal device.
- the mobile phone configures the device using the configuration information obtained from the cloud platform.
- the mobile phone configures the network access SSID and password of the device to enable the device to access the home network.
- the device After the device is connected to the home network, it can use the configured device ID, security key, certificate and other configuration information to access the cloud platform or communicate with other devices in the network.
- the embodiments of the present application can solve the problem that access authentication cannot be performed due to the inability of the distribution network and the networked devices to be connected to the cloud platform during the SoftAP network distribution process.
- the device is authenticated. Realize the organic combination of distribution network and authentication steps, and carry out device authentication in the process of distribution network to improve security.
- FIG. 17 is a schematic block diagram of a terminal device 60 according to an embodiment of the present application.
- the terminal device 60 may include:
- the first receiving unit 61 is configured to receive the device authentication information corresponding to the device information of the device to be connected to the network from the first cloud platform;
- the second receiving unit 62 is configured to receive the access authentication credential from the device to be connected to the network;
- the device verification unit 63 uses the device authentication information to verify the access authentication credential.
- the terminal device further includes:
- a third receiving unit 64 configured to receive device information from the device to be connected to the network
- the sending unit 65 is configured to send the device information of the device to be connected to the network to the first cloud platform.
- the third receiving unit 64 is further configured to receive a service set identifier SSID broadcast from the device to be connected to the network, and the device information in the SSID includes at least one of manufacturer information and product information. one.
- the sending unit 65 is further configured to send an authentication information acquisition request to the first cloud platform when the terminal device is in a secure connection with the first cloud platform, the authentication information
- the obtaining request includes product information of the device to be connected to the network.
- the first receiving unit 61 is further configured to receive device authentication information corresponding to the product information from the first cloud platform.
- the sending unit 65 is further configured to send an authentication information acquisition request to the first cloud platform when the terminal device is in a secure connection with the first cloud platform, the authentication information
- the obtaining request includes manufacturer information and product information of the device to be connected to the network; wherein, the manufacturer information corresponds to the second cloud platform, and the product information corresponds to device authentication information.
- the first receiving unit 61 is configured to receive the device authentication information corresponding to the product information from the first cloud platform, where the device authentication information corresponding to the product information is from the first cloud platform. Obtained from the second cloud platform corresponding to the manufacturer information.
- the terminal device further includes: a control unit 66, configured to join the soft connection of the device to be connected to the network after the terminal device sends the device information of the device to be connected to the network to the first cloud platform Enter the SoftAP.
- a control unit 66 configured to join the soft connection of the device to be connected to the network after the terminal device sends the device information of the device to be connected to the network to the first cloud platform Enter the SoftAP.
- the terminal device further includes: a first platform verification unit 67, configured to join the SoftAP of the device to be connected to the network in the terminal device, and the terminal device and the device to be connected to the network are established After the secure connection, the terminal device sends the platform certificate of the first cloud platform to the device to be connected to the network to verify whether the first cloud platform is legal.
- a first platform verification unit 67 configured to join the SoftAP of the device to be connected to the network in the terminal device, and the terminal device and the device to be connected to the network are established After the secure connection, the terminal device sends the platform certificate of the first cloud platform to the device to be connected to the network to verify whether the first cloud platform is legal.
- the terminal device further includes: a second platform verification unit 68, configured to join the SoftAP of the device to be connected to the network in the terminal device, and the terminal device and the device to be connected to the network are established After the secure connection, the terminal device sends the platform credential of the second cloud platform to the device to be connected to the network to verify whether the second cloud platform is legal.
- a second platform verification unit 68 configured to join the SoftAP of the device to be connected to the network in the terminal device, and the terminal device and the device to be connected to the network are established After the secure connection, the terminal device sends the platform credential of the second cloud platform to the device to be connected to the network to verify whether the second cloud platform is legal.
- the platform credential includes a timestamp or a serial number.
- the second receiving unit 62 is further configured to receive the encrypted access authentication credential from the device to be connected to the network.
- the terminal device further includes: a third platform verification unit 69, configured to decrypt the encrypted access authentication credential by using the platform decryption information, and send the decrypted data to the device to be connected to the network, which is then verified by the device to be connected to the network. Whether the decryption is successful, wherein, the cloud platform corresponding to the decryption information of the successfully decrypted platform is a legal platform.
- the second receiving unit 62 is further configured to receive an access authentication request from the device to be connected to the network when the verified cloud platform is legal, where the access authentication request contains Includes access authentication credentials.
- the device verification unit 63 is further configured to verify the access authentication credential by using the device authentication information, and determine whether the device to be connected to the network is a legal device.
- the terminal device further includes: a configuration unit 601, configured to use configuration information from the device to configure the device to be accessed when the device to be connected to the network is a legitimate device, the device configuration information is from the device configuration information. Obtained from the first cloud platform or the second cloud platform.
- the terminal device 60 in this embodiment of the present application can implement the corresponding functions of the terminal device in the foregoing method embodiments.
- each module (submodule, unit or component, etc.) in the terminal device 60 reference may be made to the corresponding descriptions in the above method embodiments, which will not be repeated here.
- the functions described by each module (submodule, unit, or component, etc.) in the terminal device 60 of the application embodiment may be implemented by different modules (submodule, unit, or component, etc.), or may be implemented by the same module Module (submodule, unit or component, etc.) implementation.
- FIG. 19 is a schematic block diagram of a first cloud platform 70 according to an embodiment of the present application.
- the first cloud platform 70 may include:
- a receiving unit 71 configured to receive the device information of the device to be connected to the network from the terminal device;
- an obtaining unit 72 configured to obtain the device authentication information corresponding to the device information
- the sending unit 73 is configured to send the device authentication information to the terminal device, where the device authentication information is used to verify the access authentication credential from the device to be connected to the network at the terminal device.
- the receiving unit 71 is further configured to receive an authentication information acquisition request from the terminal device when the terminal device is in a secure connection with the first cloud platform, the authentication information acquisition request. It includes the product information of the device to be connected to the network.
- the sending unit 73 is further configured to send, by the first cloud platform, the device authentication information corresponding to the product information to the terminal device.
- the sending unit 73 is further configured to send the platform credential of the first cloud platform to the terminal device.
- the receiving unit 71 is further configured to receive a first authentication information acquisition request from the terminal device when the terminal device is in a secure connection with the first cloud platform, the first The authentication information acquisition request includes the manufacturer information and product information of the device to be connected to the network; the acquisition unit 72 is further configured to send a second authentication information acquisition request to the second cloud platform corresponding to the manufacturer information, where the second authentication information acquisition request includes the Product information; receive device authentication information corresponding to the product information from the second cloud platform.
- the sending unit 73 is further configured to send the device authentication information corresponding to the product information obtained from the second cloud platform to the terminal device.
- the receiving unit 71 is further configured to receive the platform credential of the second cloud platform; the sending unit is further configured to send the platform credential of the second cloud platform to the terminal device.
- the obtaining unit 72 is further configured to generate or obtain the device configuration information of the device to be connected to the network from the second cloud platform; the sending unit 73 is further configured to send the device to the terminal device configuration information.
- the first cloud platform 70 in this embodiment of the present application can implement the corresponding functions of the terminal device in the foregoing method embodiments.
- each module (sub-module, unit or component, etc.) in the first cloud platform 70 reference may be made to the corresponding descriptions in the above method embodiments, which will not be repeated here.
- the functions described by each module (submodule, unit or component, etc.) in the first cloud platform 70 of the application embodiment may be implemented by different modules (submodule, unit or component, etc.), or may be implemented by The same module (submodule, unit or component, etc.) is implemented.
- FIG. 20 is a schematic block diagram of a second cloud platform 80 according to an embodiment of the present application.
- the second cloud platform 80 may include:
- a receiving unit 81 configured to receive device information of the device to be connected to the network
- an obtaining unit 82 configured to obtain the device authentication information corresponding to the device information
- the sending unit 83 is configured to send the device authentication information to the first cloud platform, so as to send the device authentication information to the terminal device through the first cloud platform, and the device authentication information is used to authenticate the data from the device to be accessed on the terminal device. The access authentication credentials are verified.
- the receiving unit 81 is further configured to receive an authentication information acquisition request from the first cloud platform, where the authentication information acquisition request includes product information of the device to be connected to the network; the acquiring unit 83 is further configured to acquire the authentication information acquisition request.
- the device certification information corresponding to the product information.
- the sending unit 83 is further configured to send platform credentials and/or device configuration information to the first cloud platform.
- the second cloud platform 80 in this embodiment of the present application can implement the corresponding functions of the terminal device in the foregoing method embodiments.
- each module (sub-module, unit, or component, etc.) in the second cloud platform 80 reference may be made to the corresponding descriptions in the foregoing method embodiments, which will not be repeated here.
- the functions described by each module (sub-module, unit, or component, etc.) in the second cloud platform 80 of the application embodiment may be implemented by different modules (sub-module, unit, or component, etc.), or by The same module (submodule, unit or component, etc.) is implemented.
- FIG. 21 is a schematic block diagram of a device 90 to be connected to a network according to an embodiment of the present application.
- the device 90 to be connected to the network may include:
- the sending unit 91 is configured to send the access authentication credential of the device to be connected to the network to the terminal device, so that the terminal device uses the device authentication information of the device to be connected to the network obtained from the cloud platform to verify the access authentication credential.
- the device to be connected to the network further includes:
- the verification unit 92 is used to verify whether the cloud platform is a legal platform.
- the verification unit is further configured to receive the platform certificate before the sending unit sends the access authentication certificate of the device to be connected to the network to the terminal device; based on the platform certificate, verify whether the cloud platform is Legal; if the cloud platform is legal, instruct the sending unit to send the access authentication credential of the device to be connected to the network to the terminal device.
- the verification unit is further configured to send an encrypted access authentication credential to the terminal device; receive decrypted data from the terminal device, where the decrypted data is the terminal device Data obtained by decrypting the access authentication credential based on the platform decryption information; verifying whether the decryption is successful based on the decrypted data, wherein the cloud platform corresponding to the platform decryption information that is successfully decrypted is a legal platform.
- the device to be connected to the network further includes:
- the control unit 93 is configured to confirm that the terminal device joins the SoftAP of the to-be-connected device before the to-be-connected device sends the access authentication credential of the to-be-connected device, and establishes a secure connection between the to-be-connected device and the terminal device.
- the device to be connected to the network further includes:
- the broadcasting unit 94 is configured to broadcast the service set identifier SSID in the SSID, before confirming that the terminal device joins the SoftAP of the device to be connected to the network, and before the device to be connected to the network establishes a secure connection with the terminal device.
- the device information includes at least one of manufacturer information and product information.
- the device 90 to be connected to the network in this embodiment of the present application can implement the corresponding functions of the terminal device in the foregoing method embodiments.
- each module (submodule, unit, or component, etc.) in the device 90 to be connected to the network reference may be made to the corresponding descriptions in the above method embodiments, which will not be repeated here.
- the functions described by each module (submodule, unit, or component, etc.) in the device 90 to be connected to the network of the application embodiment may be implemented by different modules (submodule, unit, or component, etc.), or by the same module.
- FIG. 23 is a schematic structural diagram of a communication device 600 according to an embodiment of the present application.
- the communication device 600 includes a processor 610, and the processor 610 can call and run a computer program from a memory, so that the communication device 600 implements the methods in the embodiments of the present application.
- the communication device 600 may further include a memory 620 .
- the processor 610 may call and run a computer program from the memory 620, so that the communication device 600 implements the methods in the embodiments of the present application.
- the memory 620 may be a separate device independent of the processor 610 , or may be integrated in the processor 610 .
- the communication device 600 may further include a transceiver 630, and the processor 610 may control the transceiver 630 to communicate with other devices, specifically, may send information or data to other devices, or receive other devices Information or data sent by a device.
- the transceiver 630 may include a transmitter and a receiver.
- the transceiver 630 may further include antennas, and the number of the antennas may be one or more.
- the communication device 600 may be a terminal device in this embodiment of the present application, and the communication device 600 may implement corresponding processes implemented by the terminal device in each method in the embodiment of the present application, which is not repeated here for brevity.
- the communication device 600 may be a network device such as the first cloud platform or the second cloud platform in the embodiments of the present application, and the communication device 600 may implement the first cloud platform or the second cloud platform in each method of the embodiments of the present application.
- the corresponding processes implemented by network devices such as the second cloud platform will not be repeated here.
- the communication device 600 may be the device to be connected to the network in this embodiment of the present application, and the communication device 600 may implement the corresponding processes implemented by the device to be connected to the network in each method of the embodiment of the present application. Repeat.
- FIG. 24 is a schematic structural diagram of a chip 700 according to an embodiment of the present application.
- the chip 700 includes a processor 710, and the processor 710 can call and run a computer program from a memory, so as to implement the method in the embodiments of the present application.
- the chip 700 may further include a memory 720 .
- the processor 710 may call and run a computer program from the memory 720 to implement the method executed by the terminal device or the network device in the embodiment of the present application.
- the memory 720 may be a separate device independent of the processor 710 , or may be integrated in the processor 710 .
- the chip 700 may further include an input interface 730 .
- the processor 710 may control the input interface 730 to communicate with other devices or chips, and specifically, may acquire information or data sent by other devices or chips.
- the chip 700 may further include an output interface 740 .
- the processor 710 can control the output interface 740 to communicate with other devices or chips, and specifically, can output information or data to other devices or chips.
- the chip can be applied to the terminal device in the embodiment of the present application, and the chip can implement the corresponding processes implemented by the terminal device in each method of the embodiment of the present application, which is not repeated here for brevity.
- the chip can be applied to network devices such as the first cloud platform or the second cloud platform in the embodiments of the present application, and the chip can implement the first cloud platform or the second cloud in each method of the embodiments of the present application.
- network devices such as the first cloud platform or the second cloud platform in the embodiments of the present application
- the chip can implement the first cloud platform or the second cloud in each method of the embodiments of the present application.
- the corresponding process of the platform implementation will not be repeated here.
- the chip can be applied to the device to be connected to the network in the embodiment of the present application, and the chip can implement the corresponding processes implemented by the device to be connected to the network in each method of the embodiment of the present application, which is not repeated here for brevity.
- the chips applied to the terminal device, the first cloud platform, the second cloud platform and the device to be connected to the network may be the same chip or different chips.
- the chip mentioned in the embodiments of the present application may also be referred to as a system-on-chip, a system-on-chip, a system-on-chip, or a system-on-a-chip, or the like.
- the above-mentioned processor may be a general-purpose processor, a digital signal processor (DSP), an off-the-shelf programmable gate array (field programmable gate array, FPGA), an application specific integrated circuit (ASIC) or Other programmable logic devices, transistor logic devices, discrete hardware components, etc.
- DSP digital signal processor
- FPGA field programmable gate array
- ASIC application specific integrated circuit
- the general-purpose processor mentioned above may be a microprocessor or any conventional processor or the like.
- the memory mentioned above may be either volatile memory or non-volatile memory, or may include both volatile and non-volatile memory.
- the non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically programmable Erase programmable read-only memory (electrically EPROM, EEPROM) or flash memory.
- Volatile memory may be random access memory (RAM).
- the memory in the embodiment of the present application may also be a static random access memory (static RAM, SRAM), a dynamic random access memory (dynamic RAM, DRAM), Synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection Dynamic random access memory (synch link DRAM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DR RAM) and so on. That is, the memory in the embodiments of the present application is intended to include but not limited to these and any other suitable types of memory.
- FIG. 25 is a schematic block diagram of a communication system 800 according to an embodiment of the present application.
- the communication system 800 includes a terminal device 810 and a network device 820 .
- the terminal device 810 is configured to receive device authentication information corresponding to the device information of the device to be connected to the network from the first cloud platform; receive the access authentication credential from the device to be connected to the network; use the device authentication information to verify the access authentication credential test.
- the first cloud platform 820 is configured to receive the device information of the device to be connected to the network from the terminal device; obtain the device authentication information corresponding to the device information; send the device authentication information to the terminal device, and the device authentication information is used in the terminal device Verify the access authentication credential from the device to be connected to the network.
- the device to be connected to the network 830 is configured to send the access authentication certificate of the device to be connected to the network to the terminal device, so that the terminal device can use the device authentication information of the device to be connected to the network obtained from the cloud platform to verify the access authentication certificate.
- the system may further include: a second cloud platform 840, configured to receive device information of the device to be connected to the network; obtain device authentication information corresponding to the device information; send the device authentication information to the first cloud platform, The device authentication information is sent to the terminal device through the first cloud platform, and the device authentication information is used for verifying the access authentication credential from the device to be connected to the network on the terminal device.
- a second cloud platform 840 configured to receive device information of the device to be connected to the network; obtain device authentication information corresponding to the device information; send the device authentication information to the first cloud platform, The device authentication information is sent to the terminal device through the first cloud platform, and the device authentication information is used for verifying the access authentication credential from the device to be connected to the network on the terminal device.
- the terminal device 810 can be used to implement the corresponding functions implemented by the terminal device in the above method
- the first cloud platform 820 can be used to implement the corresponding functions implemented by the first cloud platform in the above method
- the device to be connected to the network 830 may be used to implement the corresponding functions implemented by the device to be connected to the network in the above method
- the second cloud platform 840 may be used to implement the corresponding functions implemented by the second cloud platform in the above method.
- the above-mentioned embodiments it may be implemented in whole or in part by software, hardware, firmware or any combination thereof.
- software it can be implemented in whole or in part in the form of a computer program product.
- the computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of the present application are generated.
- the computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
- the computer instructions may be stored on or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted over a wire from a website site, computer, server or data center (eg coaxial cable, optical fiber, Digital Subscriber Line (DSL)) or wireless (eg infrared, wireless, microwave, etc.) means to another website site, computer, server or data center.
- the computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that includes one or more available media integrated.
- the available medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (eg, a Solid State Disk (SSD)), and the like.
- a magnetic medium eg, a floppy disk, a hard disk, a magnetic tape
- an optical medium eg, a DVD
- a semiconductor medium eg, a Solid State Disk (SSD)
- the size of the sequence numbers of the above-mentioned processes does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not be dealt with in the embodiments of the present application. implementation constitutes any limitation.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims (79)
- 一种设备接入认证的方法,包括:终端设备接收来自第一云平台的待入网设备的设备信息对应的设备认证信息;所述终端设备接收来自所述待入网设备的接入认证凭证;所述终端设备利用所述设备认证信息对所述接入认证凭证进行校验。
- 根据权利要求1所述的方法,其中,所述方法还包括:所述终端设备接收来自所述待入网设备的设备信息;所述终端设备向第一云平台发送所述待入网设备的设备信息。
- 根据权利要求2所述的方法,其中,所述终端设备接收来自所述待入网设备的设备信息,包括:所述终端设备接收来自所述待入网设备广播的服务集标识符SSID,所述SSID中的所述设备信息包括厂商信息和产品信息中的至少之一。
- 根据权利要求2或3所述的方法,其中,所述终端设备向第一云平台发送所述待入网设备的设备信息,包括:在所述终端设备与所述第一云平台处于安全连接的情况下,所述终端设备向所述第一云平台发送认证信息获取请求,所述认证信息获取请求中包括所述待入网设备的产品信息。
- 根据权利要求4所述的方法,其中,所述终端设备接收来自所述第一云平台的所述设备信息对应的设备认证信息,包括:所述终端设备接收来自所述第一云平台的所述产品信息对应的设备认证信息。
- 根据权利要求2或3所述的方法,其中,所述终端设备向第一云平台发送所述待入网设备的设备信息,包括:在所述终端设备与所述第一云平台处于安全连接的情况下,所述终端设备向所述第一云平台发送认证信息获取请求,所述认证信息获取请求中包括所述待入网设备的厂商信息和产品信息;其中,所述厂商信息与第二云平台对应,所述产品信息与设备认证信息对应。
- 根据权利要求6所述的方法,其中,终端设备接收来自第一云平台的待入网设备的设备信息对应的设备认证信息,包括:所述终端设备接收来自所述第一云平台的所述产品信息对应的设备认证信息,所述产品信息对应的设备认证信息是所述第一云平台从所述厂商信息对应的第二云平台获取的。
- 根据权利要求2至7中任一项所述的方法,其中,所述终端设备向第一云平台发送所述待入网设备的设备信息之后,所述方法还包括:所述终端设备加入所述待入网设备的软接入点SoftAP。
- 根据权利要求8所述的方法,其中,在所述终端设备加入所述待入网设备的SoftAP,并且,所述终端设备与所述待入网设备建立安全连接之后,所述方法还包括:所述终端设备向所述待入网设备发送所述第一云平台的平台凭证,以校验所述第一云平台是否合法。
- 根据权利要求8或9所述的方法,其中,在所述终端设备加入所述待入网设备的SoftAP,并且,所述终端设备与所述待入网设备建立安全连接之后,所述方法还包括:所述终端设备向所述待入网设备发送所述第二云平台的平台凭证,以校验所述第二云平台是否合 法。
- 根据权利要求9或10所述的方法,其中,所述平台凭证中包括时间戳或序列号。
- 根据权利要求1至8中任一项所述的方法,其中,所述终端设备接收来自所述待入网设备的接入认证凭证,包括:所述终端设备接收来自所述待入网设备的加密的接入认证凭证;所述方法还包括:所述终端设备利用平台解密信息对所述加密的接入认证凭证进行解密,将解密后的数据发送至所述待入网设备,由所述待入网设备校验解密是否成功,其中,解密成功的平台解密信息对应的云平台为合法平台。
- 根据权利要求1至12中任一项所述的方法,其中,所述终端设备接收来自所述待入网设备的接入认证凭证,包括:在所校验的云平台合法的情况下,所述终端设备接收来自所述待入网设备的接入认证请求,所述接入认证请求中包括接入认证凭证。
- 根据权利要求1至13中任一项所述的方法,其中,所述终端设备利用所述设备认证信息对所述接入认证凭证进行校验,包括:所述终端设备利用所述设备认证信息对所述接入认证凭证进行校验,判断所述待入网设备是否是合法设备。
- 根据权利要求14所述的方法,其中,所述方法还包括:在所述待入网设备是合法设备的情况下,所述终端设备利用来自设备配置信息配置所述待入网设备,所述设备配置信息是从第一云平台或第二云平台获取的。
- 一种设备接入认证的方法,包括:第一云平台接收来自终端设备的待入网设备的设备信息;所述第一云平台获取所述设备信息对应的设备认证信息;所述第一云平台向所述终端设备发送所述设备认证信息,所述设备认证信息用于在所述终端设备对来自所述待入网设备的接入认证凭证进行校验。
- 根据权利要求16所述的方法,其中,第一云平台接收来自终端设备的待入网设备的设备信息,包括:在所述终端设备与所述第一云平台处于安全连接的情况下,所述第一云平台接收来自所述终端设备的认证信息获取请求,所述认证信息获取请求中包括所述待入网设备的产品信息。
- 根据权利要求17所述的方法,其中,所述第一云平台向所述终端设备发送所述设备认证信息,包括:所述第一云平台向所述终端设备发送所述产品信息对应的设备认证信息。
- 根据权利要求17或18所述的方法,其中,所述方法还包括:所述第一云平台向所述终端设备发送所述第一云平台的平台凭证。
- 根据权利要求16所述的方法,其中,第一云平台接收来自终端设备的待入网设备的设备信息,包括:在所述终端设备与所述第一云平台处于安全连接的情况下,所述第一云平台接收来自所述终端设备的第一认证信息获取请求,所述第一认证信息获取请求中包括所述待入网设备的厂商信息和产品信息;所述第一云平台获取所述设备信息对应的设备认证信息,还包括:所述第一云平台向所述厂商信息 对应的第二云平台发送第二认证信息获取请求,所述第二认证信息获取请求包括所述产品信息;所述第一云平台接收来自所述第二云平台的所述产品信息对应的设备认证信息。
- 根据权利要求20所述的方法,其中,所述第一云平台向所述终端设备发送所述设备认证信息,包括:所述第一云平台向所述终端设备发送从所述第二云平台获取的所述产品信息对应的设备认证信息。
- 根据权利要求20或21所述的方法,其中,所述方法还包括:所述第一云平台接收所述第二云平台的平台凭证;所述第一云平台向所述终端设备发送所述第二云平台的平台凭证。
- 根据权利要求22所述的方法,其中,所述方法还包括:所述第一云平台生成或者从所述第二云平台获取所述待入网设备的设备配置信息;所述第一云平台向所述终端设备发送所述设备配置信息。
- 一种设备接入认证的方法,包括:第二云平台接收待入网设备的设备信息;所述第二云平台获取所述设备信息对应的设备认证信息;所述第二云平台向第一云平台发送所述设备认证信息,以通过所述第一云平台向终端设备发送所述设备认证信息,所述设备认证信息用于在所述终端设备上对来自所述待入网设备的接入认证凭证进行校验。
- 根据权利要求24所述的方法,其中,第二云平台接收待入网设备的设备信息,包括:所述第二云平台接收来自所述第一云平台的认证信息获取请求,所述认证信息获取请求中包括所述待入网设备的产品信息;所述第二云平台获取所述设备信息对应的设备认证信息,包括:所述第二云平台获取所述产品信息对应的设备认证信息。
- 根据权利要求24所述的方法,其中,所述方法还包括:所述第二云平台向所述第一云平台发送平台凭证和/或设备配置信息。
- 一种设备接入认证的方法,包括:待入网设备向终端设备发送所述待入网设备的接入认证凭证,以在所述终端设备利用从云平台获取的所述待入网设备的设备认证信息对所述接入认证凭证进行校验。
- 根据权利要求27所述的方法,其中,包括:所述待入网设备校验所述云平台是否合法平台。
- 根据权利要求28所述的方法,其中,待入网设备向终端设备发送所述待入网设备的接入认证凭证之前,所述待入网设备校验所述云平台是否合法平台,包括:待入网设备接收平台凭证;所述待入网设备基于所述平台凭证校验云平台是否合法,在所述云平台合法的情况下,执行所述待入网设备向所述终端设备发送所述待入网设备的接入认证凭证的步骤。
- 根据权利要求28所述的方法,其中,所述待入网设备校验所述云平台是否合法平台,包括:所述待入网设备向所述终端设备发送加密的接入认证凭证;所述待入网设备接收来自所述终端设备的解密后的数据,所述解密后的数据是所述终端设备基于平 台解密信息对所述接入认证凭证进行解密得到的数据;所述待入网设备基于解密后的数据校验解密是否成功,其中,解密成功的平台解密信息对应的云平台为合法平台。
- 根据权利要求28至30中任一项所述的方法,其中,在所述待入网设备发送所述待入网设备的接入认证凭证之前包括:确认所述终端设备加入所述待入网设备的SoftAP,并且,所述待入网设备与所述终端设备建立安全连接。
- 根据权利要求31所述的方法,其中,在确认所述终端设备加入所述待入网设备的SoftAP,并且,所述待入网设备与所述终端设备建立安全连接之前,所述方法还包括:所述待入网设备广播服务集标识符SSID,所述SSID中的所述待入网设备的设备信息包括厂商信息和产品信息中的至少之一。
- 一种终端设备,包括:第一接收单元,用于接收来自第一云平台的待入网设备的设备信息对应的设备认证信息;第二接收单元,用于接收来自所述待入网设备的接入认证凭证;设备校验单元,利用所述设备认证信息对所述接入认证凭证进行校验。
- 根据权利要求33所述的终端设备,其中,所述终端设备还包括:第三接收单元,用于接收来自所述待入网设备的设备信息;发送单元,用于向第一云平台发送所述待入网设备的设备信息。
- 根据权利要求34所述的终端设备,其中,所述第三接收单元还用于接收来自所述待入网设备广播的服务集标识符SSID,所述SSID中的所述设备信息包括厂商信息和产品信息中的至少之一。
- 根据权利要求34或35所述的终端设备,其中,所述发送单元还用于在所述终端设备与所述第一云平台处于安全连接的情况下,向所述第一云平台发送认证信息获取请求,所述认证信息获取请求中包括所述待入网设备的产品信息。
- 根据权利要求36所述的终端设备,其中,所述第一接收单元还用于接收来自所述第一云平台的所述产品信息对应的设备认证信息。
- 根据权利要求34或35所述的终端设备,其中,所述发送单元还用于在所述终端设备与所述第一云平台处于安全连接的情况下,向所述第一云平台发送认证信息获取请求,所述认证信息获取请求中包括所述待入网设备的厂商信息和产品信息;其中,所述厂商信息与第二云平台对应,所述产品信息与设备认证信息对应。
- 根据权利要求38所述的终端设备,其中,所述第一接收单元用于接收来自所述第一云平台的所述产品信息对应的设备认证信息,所述产品信息对应的设备认证信息是所述第一云平台从所述厂商信息对应的第二云平台获取的。
- 根据权利要求34至39中任一项所述的终端设备,其中,所述终端设备还包括:控制单元,用于在所述终端设备向第一云平台发送所述待入网设备的设备信息之后,加入所述待入网设备的软接入点SoftAP。
- 根据权利要求40所述的终端设备,其中,所述终端设备还包括:第一平台校验单元,用于在所述终端设备加入所述待入网设备的SoftAP,并且,所述终端设备与 所述待入网设备建立安全连接之后,所述终端设备向所述待入网设备发送所述第一云平台的平台凭证,以校验所述第一云平台是否合法。
- 根据权利要求40或41所述的终端设备,其中,所述终端设备还包括:第二平台校验单元,用于在所述终端设备加入所述待入网设备的SoftAP,并且,所述终端设备与所述待入网设备建立安全连接之后,所述终端设备向所述待入网设备发送所述第二云平台的平台凭证,以校验所述第二云平台是否合法。
- 根据权利要求41或42所述的终端设备,其中,所述平台凭证中包括时间戳或序列号。
- 根据权利要求33至40中任一项所述的终端设备,其中,所述第二接收单元还用于接收来自所述待入网设备的加密的接入认证凭证;所述终端设备还包括:第三平台校验单元,用于利用平台解密信息对所述加密的接入认证凭证进行解密,将解密后的数据发送至所述待入网设备,由所述待入网设备校验解密是否成功,其中,解密成功的平台解密信息对应的云平台为合法平台。
- 根据权利要求33至44中任一项所述的终端设备,其中,所述第二接收单元还用于在所校验的云平台合法的情况下,接收来自所述待入网设备的接入认证请求,所述接入认证请求中包括接入认证凭证。
- 根据权利要求33至45中任一项所述的终端设备,其中,所述设备校验单元还用于利用所述设备认证信息对所述接入认证凭证进行校验,判断所述待入网设备是否是合法设备。
- 根据权利要求46所述的终端设备,其中,所述终端设备还包括:配置单元,用于在所述待入网设备是合法设备的情况下,利用来自设备配置信息配置所述待入网设备,所述设备配置信息是从第一云平台或第二云平台获取的。
- 一种第一云平台,包括:接收单元,用于接收来自终端设备的待入网设备的设备信息;获取单元,用于获取所述设备信息对应的设备认证信息;发送单元,用于向所述终端设备发送所述设备认证信息,所述设备认证信息用于在所述终端设备对来自所述待入网设备的接入认证凭证进行校验。
- 根据权利要求48所述的第一云平台,其中,所述接收单元还用于在所述终端设备与所述第一云平台处于安全连接的情况下,接收来自所述终端设备的认证信息获取请求,所述认证信息获取请求中包括所述待入网设备的产品信息。
- 根据权利要求49所述的第一云平台,其中,所述发送单元还用于所述第一云平台向所述终端设备发送所述产品信息对应的设备认证信息。
- 根据权利要求48或49所述的第一云平台,其中,所述发送单元还用于向所述终端设备发送所述第一云平台的平台凭证。
- 根据权利要求48所述的第一云平台,其中,所述接收单元还用于在所述终端设备与所述第一云平台处于安全连接的情况下,接收来自所述终端设备的第一认证信息获取请求,所述第一认证信息获取请求中包括所述待入网设备的厂商信息和产品信息;所述获取单元还用于向所述厂商信息对应的第二云平台发送第二认证信息获取请求,所述第二认证信息获取请求包括所述产品信息;接收来自所述第二云平台的所述产品信息对应的设备认证信息。
- 根据权利要求52所述的第一云平台,其中,所述发送单元还用于向所述终端设备发送从所述第二云平台获取的所述产品信息对应的设备认证信息。
- 根据权利要求51或52所述的第一云平台,其中,所述接收单元还用于接收所述第二云平台的平台凭证;所述发送单元还用于向所述终端设备发送所述第二云平台的平台凭证。
- 根据权利要求54所述的第一云平台,其中,所述获取单元还用于生成或者从所述第二云平台获取所述待入网设备的设备配置信息;所述发送单元还用于向所述终端设备发送所述设备配置信息。
- 一种第二云平台,包括:接收单元,用于接收待入网设备的设备信息;获取单元,用于获取所述设备信息对应的设备认证信息;发送单元,用于向第一云平台发送所述设备认证信息,以通过所述第一云平台向终端设备发送所述设备认证信息,所述设备认证信息用于在所述终端设备上对来自所述待入网设备的接入认证凭证进行校验。
- 根据权利要求56所述的第二云平台,其中,所述接收单元还用于接收来自所述第一云平台的认证信息获取请求,所述认证信息获取请求中包括所述待入网设备的产品信息;所述获取单元还用于获取所述产品信息对应的设备认证信息。
- 根据权利要求57所述的第二云平台,其中,所述发送单元还用于向所述第一云平台发送平台凭证和/或设备配置信息。
- 一种待入网设备,包括:发送单元,用于向终端设备发送所述待入网设备的接入认证凭证,以在所述终端设备利用从云平台获取的所述待入网设备的设备认证信息对所述接入认证凭证进行校验。
- 根据权利要求59所述的待入网设备,其中,所述待入网设备还包括:校验单元,用于校验所述云平台是否合法平台。
- 根据权利要求60所述的待入网设备,其中,所述校验单元还用于向终端设备发送所述待入网设备的接入认证凭证之前,接收平台凭证;基于所述平台凭证校验云平台是否合法;在所述云平台合法的情况下,指示所述发送单元向所述终端设备发送所述待入网设备的接入认证凭证的步骤。
- 根据权利要求60所述的待入网设备,其中,所述校验单元还用于向所述终端设备发送加密的接入认证凭证;接收来自所述终端设备的解密后的数据,所述解密后的数据是所述终端设备基于平台解密信息对所述接入认证凭证进行解密得到的数据;基于解密后的数据校验解密是否成功,其中,解密成功的平台解密信息对应的云平台为合法平台。
- 根据权利要求59至62中任一项所述的待入网设备,其中,所述待入网设备还包括:控制单元,用于在所述待入网设备发送所述待入网设备的接入认证凭证之前,确认所述终端设备加入所述待入网设备的SoftAP,并且,所述待入网设备与所述终端设备建立安全连接。
- 根据权利要求63所述的待入网设备,其中,所述待入网设备还包括:广播单元,用于在确认所述终端设备加入所述待入网设备的SoftAP,并且,所述待入网设备与所述终端设备建立安全连接之前,广播服务集标识符SSID,所述SSID中的所述待入网设备的设备信息 包括厂商信息和产品信息中的至少之一。
- 一种终端设备,包括:处理器和存储器,该存储器用于存储计算机程序,所述处理器用于调用并运行所述存储器中存储的计算机程序,以使所述终端设备执行如权利要求1至15中任一项所述的方法。
- 一种云平台,包括:处理器和存储器,该存储器用于存储计算机程序,所述处理器用于调用并运行所述存储器中存储的计算机程序,以使所述云平台执行如权利要求16至26中任一项所述的方法。
- 一种待入网设备,包括:处理器和存储器,该存储器用于存储计算机程序,所述处理器用于调用并运行所述存储器中存储的计算机程序,以使所述待入网设备执行如权利要求27至32中任一项所述的方法。
- 一种芯片,包括:处理器,用于从存储器中调用并运行计算机程序,使得安装有所述芯片的设备执行如权利要求1至15中任一项所述的方法。
- 一种芯片,包括:处理器,用于从存储器中调用并运行计算机程序,使得安装有所述芯片的设备执行如权利要求16至26中任一项所述的方法。
- 一种芯片,包括:处理器,用于从存储器中调用并运行计算机程序,使得安装有所述芯片的设备执行如权利要求27至32中任一项所述的方法。
- 一种计算机可读存储介质,用于存储计算机程序,当所述计算机程序被设备运行时使得所述设备执行如权利要求1至15中任一项所述的方法。
- 一种计算机可读存储介质,用于存储计算机程序,当所述计算机程序被设备运行时使得所述设备执行如权利要求16至26中任一项所述的方法。
- 一种计算机可读存储介质,用于存储计算机程序,当所述计算机程序被设备运行时使得所述设备执行如权利要求27至32中任一项所述的方法。
- 一种计算机程序产品,包括计算机程序指令,该计算机程序指令使得计算机执行如权利要求1至15中任一项所述的方法。
- 一种计算机程序产品,包括计算机程序指令,该计算机程序指令使得计算机执行如权利要求16至26中任一项所述的方法。
- 一种计算机程序产品,包括计算机程序指令,该计算机程序指令使得计算机执行如权利要求27至32中任一项所述的方法。
- 一种计算机程序,所述计算机程序使得计算机执行如权利要求1至15中任一项所述的方法。
- 一种计算机程序,所述计算机程序使得计算机执行如权利要求16至26中任一项所述的方法。
- 一种计算机程序,所述计算机程序使得计算机执行如权利要求27至32中任一项所述的方法。
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202080104862.2A CN116250287A (zh) | 2020-07-31 | 2020-07-31 | 设备接入认证的方法、终端设备和云平台 |
JP2023503247A JP2023539994A (ja) | 2020-07-31 | 2020-07-31 | デバイスのアクセス認証方法、端末デバイス及びクラウドプラットフォーム |
PCT/CN2020/106435 WO2022021433A1 (zh) | 2020-07-31 | 2020-07-31 | 设备接入认证的方法、终端设备和云平台 |
EP20947594.6A EP4192117A4 (en) | 2020-07-31 | 2020-07-31 | DEVICE ACCESS AUTHENTICATION METHOD, TERMINAL DEVICE AND CLOUD PLATFORM |
KR1020237006203A KR20230045025A (ko) | 2020-07-31 | 2020-07-31 | 디바이스의 액세스 인증 방법, 단말 디바이스 및 클라우드 플랫폼 |
US18/090,611 US20230188989A1 (en) | 2020-07-31 | 2022-12-29 | Method for device access authentication, terminal device, and cloud platform |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2020/106435 WO2022021433A1 (zh) | 2020-07-31 | 2020-07-31 | 设备接入认证的方法、终端设备和云平台 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/090,611 Continuation US20230188989A1 (en) | 2020-07-31 | 2022-12-29 | Method for device access authentication, terminal device, and cloud platform |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022021433A1 true WO2022021433A1 (zh) | 2022-02-03 |
Family
ID=80037401
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/106435 WO2022021433A1 (zh) | 2020-07-31 | 2020-07-31 | 设备接入认证的方法、终端设备和云平台 |
Country Status (6)
Country | Link |
---|---|
US (1) | US20230188989A1 (zh) |
EP (1) | EP4192117A4 (zh) |
JP (1) | JP2023539994A (zh) |
KR (1) | KR20230045025A (zh) |
CN (1) | CN116250287A (zh) |
WO (1) | WO2022021433A1 (zh) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104753898A (zh) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团公司 | 一种验证方法、验证终端、验证服务器 |
US20150264023A1 (en) * | 2014-03-13 | 2015-09-17 | Ca, Inc. | Identity verification services using private data |
CN110198540A (zh) * | 2019-05-09 | 2019-09-03 | 新华三技术有限公司 | 认证方法及装置 |
CN110687820A (zh) * | 2019-11-07 | 2020-01-14 | 深圳市欧瑞博科技有限公司 | 智能家居设备的控制方法、装置、终端设备及存储介质 |
CN111212428A (zh) * | 2018-11-22 | 2020-05-29 | 九阳股份有限公司 | 一种家电设备接入无线局域网的方法以及家电设备 |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20070025366A (ko) * | 2005-09-01 | 2007-03-08 | 삼성전자주식회사 | 무선 랜 시스템의 보안 시스템 및 그 방법 |
US9398453B2 (en) * | 2007-08-17 | 2016-07-19 | Qualcomm Incorporated | Ad hoc service provider's ability to provide service for a wireless network |
CN102196533B (zh) * | 2011-04-15 | 2014-01-22 | 华为数字技术(成都)有限公司 | 网络接入控制方法及相关装置 |
TWI548249B (zh) * | 2014-08-08 | 2016-09-01 | 蓋特資訊系統股份有限公司 | 安全資料驗證方法、系統與電腦可讀取儲存媒體 |
KR102303984B1 (ko) * | 2015-06-22 | 2021-09-23 | 삼성전자 주식회사 | 이동 통신 시스템에서 전자 기기의 가입 방법 및 장치 |
CN105101206B (zh) * | 2015-06-26 | 2018-06-19 | 中国联合网络通信集团有限公司 | 一种设备的wifi自动接入方法及系统 |
KR102405646B1 (ko) * | 2015-12-28 | 2022-06-07 | 삼성전자주식회사 | 전자 장치, 전자 장치의 통신 방법 및 이동 단말기의 통신 방법 |
GB2547472A (en) * | 2016-02-19 | 2017-08-23 | Intercede Ltd | Method and system for authentication |
US10615844B2 (en) * | 2016-03-15 | 2020-04-07 | Huawei Technologies Co., Ltd. | System and method for relaying data over a communication network |
CN106302415A (zh) * | 2016-08-03 | 2017-01-04 | 杭州晟元数据安全技术股份有限公司 | 一种验证设备合法性和对合法设备自动配网的方法 |
CN108696868B (zh) * | 2017-03-01 | 2020-06-19 | 西安西电捷通无线网络通信股份有限公司 | 用于网络连接的凭证信息的处理方法和装置 |
CN109242467B (zh) * | 2018-09-17 | 2021-01-01 | 金蝶软件(中国)有限公司 | 基于区块链的组网方法、装置、计算机设备和存储介质 |
CN112655182B (zh) * | 2018-10-31 | 2023-09-15 | Oppo广东移动通信有限公司 | 通信方法和设备 |
-
2020
- 2020-07-31 JP JP2023503247A patent/JP2023539994A/ja active Pending
- 2020-07-31 WO PCT/CN2020/106435 patent/WO2022021433A1/zh active Application Filing
- 2020-07-31 CN CN202080104862.2A patent/CN116250287A/zh active Pending
- 2020-07-31 EP EP20947594.6A patent/EP4192117A4/en active Pending
- 2020-07-31 KR KR1020237006203A patent/KR20230045025A/ko unknown
-
2022
- 2022-12-29 US US18/090,611 patent/US20230188989A1/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104753898A (zh) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团公司 | 一种验证方法、验证终端、验证服务器 |
US20150264023A1 (en) * | 2014-03-13 | 2015-09-17 | Ca, Inc. | Identity verification services using private data |
CN111212428A (zh) * | 2018-11-22 | 2020-05-29 | 九阳股份有限公司 | 一种家电设备接入无线局域网的方法以及家电设备 |
CN110198540A (zh) * | 2019-05-09 | 2019-09-03 | 新华三技术有限公司 | 认证方法及装置 |
CN110687820A (zh) * | 2019-11-07 | 2020-01-14 | 深圳市欧瑞博科技有限公司 | 智能家居设备的控制方法、装置、终端设备及存储介质 |
Non-Patent Citations (1)
Title |
---|
See also references of EP4192117A4 * |
Also Published As
Publication number | Publication date |
---|---|
EP4192117A4 (en) | 2023-10-11 |
EP4192117A1 (en) | 2023-06-07 |
US20230188989A1 (en) | 2023-06-15 |
JP2023539994A (ja) | 2023-09-21 |
KR20230045025A (ko) | 2023-04-04 |
CN116250287A (zh) | 2023-06-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10750366B1 (en) | Efficient authentication and secure communications in private communication systems having non-3GPP and 3GPP access | |
US11617067B2 (en) | Method to authenticate with a mobile communication network | |
US10798767B2 (en) | Method and apparatus for relaying user data between a secure connection and a data connection | |
US20180359633A1 (en) | Neighbor Awareness Networking Device Pairing | |
CN104041098A (zh) | 用于ieee 802.11网络的sta和接入点之间的加速的链路设置的方法和装置 | |
WO2021136211A1 (zh) | 授权结果的确定方法及装置 | |
JP2017538345A (ja) | 方法、装置およびシステム | |
EP3422750B1 (en) | Method and apparatus for providing service provider identifier, access device, and terminal device | |
CN115699678A (zh) | 设备注销的方法、设备注册的方法、通信设备和云平台 | |
WO2018076553A1 (zh) | 一种接入网络的方法及设备 | |
US20230337111A1 (en) | Terminal device and network device | |
WO2021056131A1 (zh) | 无线通信方法、终端设备和网络设备 | |
WO2023011630A1 (zh) | 授权验证的方法及装置 | |
US20220264435A1 (en) | Access control method and communications apparatus | |
WO2022021433A1 (zh) | 设备接入认证的方法、终端设备和云平台 | |
CN114731513A (zh) | 一种控制通信接入的方法、ap及通信设备 | |
WO2023212904A1 (zh) | 中继通信的方法及设备 | |
WO2023070433A1 (en) | Authentication between wireless devices and edge servers | |
WO2023202337A1 (zh) | 通信方法和装置 | |
WO2023141914A1 (zh) | 信息保护方法和设备 | |
WO2024092444A1 (zh) | 一种通信的方法和装置 | |
WO2023213208A1 (zh) | 一种通信方法及通信装置 | |
WO2023147767A1 (zh) | 网络校验的方法和装置 | |
WO2023093572A1 (zh) | 通信方法及装置 | |
WO2023213184A1 (zh) | 一种通信方法及通信装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20947594 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2023503247 Country of ref document: JP Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 20237006203 Country of ref document: KR Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2020947594 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2020947594 Country of ref document: EP Effective date: 20230228 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |