WO2022116110A1

WO2022116110A1 - Access authentication method and apparatus, device, and storage medium

Info

Publication number: WO2022116110A1
Application number: PCT/CN2020/133686
Authority: WO
Inventors: 包永明; 罗朝明; 张军; 董建利; 茹昭
Original assignee: Oppo广东移动通信有限公司
Priority date: 2020-12-03
Filing date: 2020-12-03
Publication date: 2022-06-09
Also published as: CN116508292A

Abstract

The present application discloses an access authentication method and apparatus, a device, and a storage medium, relating to the field of wireless communications. Said method is applied to a device to be authenticated. Said method comprises: broadcasting a beacon frame, the beacon frame carrying a first random number generated by a device to be authenticated; generating a device end trust center link key on the basis of the first random number and a license key, the license key being a key stored in said device and a device platform cloud; and performing first access authentication with a network distribution platform gateway by using the device end trust center link key. The present application provides a solution for implementing cross-platform access authentication of a smart device.

Description

Access authentication method, device, device and storage medium

technical field

The present application relates to the field of wireless communication, and in particular, to an access authentication method, apparatus, device, and storage medium.

Background technique

Smart devices can perform access authentication across different platforms.

Exemplarily, to build a network for the smart device, the A platform gateway is used to construct the network, the platform cloud corresponding to the A platform gateway is the A platform cloud, and the platform cloud corresponding to the manufacturer to which the smart device belongs is the B platform cloud.

How to realize cross-platform access authentication of smart devices, related technologies have not yet provided a better solution.

SUMMARY OF THE INVENTION

The embodiments of the present application provide an access authentication method, apparatus, device, and storage medium, and provide an implementation solution for cross-platform access authentication of smart devices. The technical solution is as follows:

According to an aspect of the present application, an access authentication method is provided, which is applied to a device to be authenticated, and the method includes:

broadcasting a beacon frame, where the beacon frame carries the first random number generated by the device to be authenticated;

Based on the first random number and a license key, a device-side trust center link key is generated, and the license key is a key stored in the device to be authenticated and the device platform cloud;

Use the device-side trust center link key to perform first access authentication with the distribution network platform gateway.

According to an aspect of the present application, an access authentication method is provided, which is applied to a distribution network platform gateway, the distribution network platform gateway supports building a network, and the cloud server corresponding to the distribution network platform gateway is a distribution network platform cloud, The method includes:

receiving a beacon frame broadcast by the device to be authenticated, where the beacon frame carries the first random number generated by the device to be authenticated;

Through the distribution network platform cloud, interact with the device platform cloud to obtain the authentication end trust center link key. The authentication end trust center link key is a key generated based on the first random number and the license key. The license key is a key stored in the device to be authenticated and the device platform cloud;

Perform first access authentication with the device to be authenticated by using the authenticator trust center link key.

According to an aspect of the present application, an access authentication method is provided, which is applied in a device platform cloud, where the device platform cloud is a cloud server of a manufacturer to which the device to be authenticated belongs, and the method includes:

interacting with the distribution network platform gateway, so that the distribution network platform gateway obtains the authentication end trust center link key, and the authentication end trust center link key is a key generated according to the first random number generated by the device to be authenticated, The authenticator trust center link key is used to perform first access authentication of the device to be authenticated.

According to an aspect of the present application, an access authentication apparatus is provided, which is applied to a device to be authenticated, and the apparatus includes: a beacon frame broadcasting module, a key generation module, and a first authentication module;

the beacon frame broadcasting module, configured to broadcast a beacon frame, the beacon frame carrying the first random number generated by the device to be authenticated;

The key generation module is used to generate a device-side trust center link key based on the first random number and a license key, where the license key is a secret key stored in the device to be authenticated and the device platform cloud. key;

The first authentication module is configured to use the device-side trust center link key to perform first access authentication with the distribution network platform gateway.

According to an aspect of the present application, an access authentication device is provided, which is applied to a distribution network platform gateway, the distribution network platform gateway supports building a network, and the cloud server corresponding to the distribution network platform gateway is a distribution network platform cloud, The device includes: a beacon frame receiving module, a key determining module and a first authentication module;

The beacon frame receiving module is configured to receive a beacon frame broadcast by the device to be authenticated, where the beacon frame carries the first random number generated by the device to be authenticated;

The key determination module is configured to interact with the device platform cloud through the distribution network platform cloud to obtain the authentication end trust center link key, and the authentication end trust center link key is based on the first random number and a key generated by a license key, where the license key is a key stored in the device to be authenticated and the device platform cloud;

The first authentication module is configured to use the authentication terminal trust center link key to perform first access authentication with the device to be authenticated.

According to an aspect of the present application, an access authentication apparatus is provided, which is applied in a device platform cloud, where the device platform cloud is a cloud server of a manufacturer to which the device to be authenticated belongs, and the apparatus includes: a key determination module;

The key determination module is used for interacting with the distribution network platform gateway, so that the distribution network platform gateway obtains the authentication end trust center link key, and the authentication end trust center link key is generated according to the device to be authenticated The key generated by the first random number, the authentication end trust center link key is used to perform the first access authentication of the device to be authenticated.

According to an aspect of the present application, a device to be authenticated is provided, the device to be authenticated includes: a processor and a transceiver connected to the processor; wherein,

the transceiver, configured to broadcast a beacon frame, where the beacon frame carries the first random number generated by the device to be authenticated;

The processor is configured to generate a device-side trust center link key based on the first random number and a license key, where the license key is a key stored in the device to be authenticated and the device platform cloud;

The processor is configured to use the device-side trust center link key to perform first access authentication with the distribution network platform gateway.

According to an aspect of the present application, a distribution network platform gateway is provided, the distribution network platform gateway supports the construction of a Zigbee network, the cloud server corresponding to the distribution network platform gateway is a distribution network platform cloud, and the distribution network platform gateway includes : a processor and a transceiver connected to the processor; wherein,

the transceiver, configured to receive a beacon frame broadcast by the device to be authenticated, where the beacon frame carries the first random number generated by the device to be authenticated;

The processor is configured to interact with the device platform cloud through the distribution network platform cloud to obtain the authentication end trust center link key, where the authentication end trust center link key is based on the first random number and the license key. The key generated by the key, the license key is the key stored in the device to be authenticated and the device platform cloud;

The processor is configured to perform first access authentication with the device to be authenticated by using the authenticator trust center link key.

According to an aspect of the present application, a device platform cloud is provided, where the device platform cloud is a cloud server of a manufacturer to which a device to be authenticated belongs, and the device platform cloud includes: a processor and a transceiver connected to the processor ;in,

The processor is configured to interact with the distribution network platform gateway, so that the distribution network platform gateway obtains the authentication end trust center link key, and the authentication end trust center link key is the first generated according to the device to be authenticated. The key generated by the random number, the authentication end trust center link key is used to perform the first access authentication of the device to be authenticated.

According to an aspect of the present application, a computer-readable storage medium is provided, and a computer program is stored in the readable storage medium, and the computer program is loaded and executed by a processor to implement the access authentication according to the above aspect method.

According to an aspect of the embodiments of the present application, a chip is provided, the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a network device, it is used to implement the access described in the above aspect Authentication method.

According to one aspect of the present application, a computer program product is provided, which, when running on a processor of a network device, enables the network device to execute the access authentication method described in the above aspect.

The technical solutions provided by the embodiments of the present application include at least the following beneficial effects:

The beacon frame broadcast by the device to be authenticated carries a first random number, and the first random number is used to generate the authentication terminal trust center link key and device required to perform the first access authentication between the distribution network platform gateway and the device to be authenticated The terminal trust center links the key, and the first random number is dynamically generated each time the first access authentication is performed to ensure the security of the first access authentication. In addition, in the embodiment of the present application, the distribution network platform gateway interacts with the device platform cloud through the distribution network platform cloud, obtains the authentication terminal trust center link key required for the first access authentication, and then configures the network platform by the distribution network platform gateway. The gateway and the device to be authenticated use the authentication-side trust center link key and the device-side trust center link key to perform the first access authentication, thereby realizing the cross-platform access authentication of the device to be authenticated and expanding the access of the device to be authenticated. Authentication implementation scenarios.

Description of drawings

In order to illustrate the technical solutions in the embodiments of the present application more clearly, the following briefly introduces the drawings that are used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative effort.

1 is a block diagram of a cross-platform access authentication system for smart devices provided by an exemplary embodiment of the present application;

FIG. 2 is a flowchart of an access authentication method provided by an exemplary embodiment of the present application;

3 is a flowchart of an access authentication method provided by an exemplary embodiment of the present application;

4 is a flowchart of an access authentication method provided by an exemplary embodiment of the present application;

FIG. 5 is a flowchart of an access authentication method provided by an exemplary embodiment of the present application;

6 is a flowchart of an access authentication method provided by an exemplary embodiment of the present application;

FIG. 7 is a flowchart of an access authentication method provided by an exemplary embodiment of the present application;

FIG. 8 is a structural block diagram of an access authentication method and apparatus provided by an exemplary embodiment of the present application;

FIG. 9 is a structural block diagram of an access authentication method and apparatus provided by an exemplary embodiment of the present application;

10 is a structural block diagram of an access authentication method and apparatus provided by an exemplary embodiment of the present application;

FIG. 11 is a schematic structural diagram of a computer device provided by an exemplary embodiment of the present application.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.

First, briefly introduce the terms involved in the embodiments of the present application:

Zigbee (Zigbee Protocol) technology:

Zigbee is a low-power local area network protocol based on the Institute of Electrical and Electronics Engineers (IEEE) 802.15.4 standard. According to international standards, ZigBee technology is a short-range, low-power wireless communication technology.

Since the usual transmission distance of ZigBee technology is less than 1 km (ie short distance), it is mainly used in Personal Area Network (PAN).

Beacon frame:

According to the beacon specification in IEEE802.15.4, two beacon frame formats are specified, one is a regular beacon frame, and the other is an enhanced beacon (EnhanceBeacon) frame.

Among them, the difference between the enhanced beacon frame and the conventional beacon frame is that there are more Information Elements (Information Elements, IEs) fields in the variable (variable) data, and there are fewer Guaranteed Time Slot (GTS) fields and hanging The starting address (PendingAddress) field.

Refer to Table 1 below.

Table 1: Enhanced Beacon Frames

As shown in Table 1, in the enhanced beacon frame, the information element field is further divided into header information elements (HeaderIEs) and payload information elements (PayloadIEs).

In the header information unit, when the element ID (ElementID) is 0, it means that the content is filled with the manufacturer-defined information, wherein the data length ranges from 0 to 127 bytes, and the first 3 bytes can be the supplier (Vendor). ) Organizationally Unique Identifier (OUI), the remaining bytes can be customized according to the manufacturer's needs. In this embodiment of the present application, the header information unit is filled with the first random number, the device identifier and the manufacturer identifier.

The device that supports the Zigbee protocol is a Zigbee device, and the Zigbee device corresponds to a unique installation code (InstallCode). The Zigbee gateway needs to obtain the installation code of the Zigbee device, so as to connect the Zigbee device to the Zigbee network created by the Zigbee gateway.

In the related art, the installation code of the Zigbee device is obtained by scanning the QR code of the Zigbee device with the mobile phone or manually inputting the mobile phone, and then the mobile phone sends the installation code to the Zigbee gateway, which requires more human interaction.

Meanwhile, the above-mentioned related technologies do not realize the cross-platform access authentication of Zigbee devices, and a solution for cross-platform access authentication of Zigbee devices is urgently needed.

Below, the solution provided by the present application is exemplarily described.

1 shows a block diagram of a cross-platform access authentication system for smart devices provided by an exemplary embodiment of the present application. The system may include: a device to be authenticated 12 , a distribution network platform gateway 141 , a distribution network platform cloud 142 and a device platform cloud 16.

The device 12 to be authenticated is a device capable of accessing the network. Optionally, the device 12 to be authenticated is a smart device (such as VR (Virtual Reality, virtual reality) glasses, a smart wearable device, etc.), a terminal device, or other device with network access capability, which is not made in this embodiment of the present application. limited. In one example, when the system is applied to smart home life, the device 12 to be authenticated may be smart home devices such as smart TVs, smart speakers, smart air conditioners, smart lights, smart doors and windows, smart curtains, and smart sockets. Optionally, there is one device 12 to be authenticated, or there are multiple devices 12 to be authenticated, which is not limited in this embodiment of the present application. In practical applications, the number of devices to be authenticated 12 may be combined with application requirements or the distribution network platform gateway 141 The maximum number of devices that can be managed is determined.

The device 12 to be authenticated is configured to access the network by the distribution network platform gateway 141 , and the cloud server corresponding to the distribution network platform gateway 141 is the distribution network platform cloud 142 . The distribution network platform gateway 141 and the distribution network platform cloud 142 are connected through a wired or wireless network.

The distribution network platform gateway 141 is a device capable of configuring a network. Optionally, the distribution network platform gateway 141 may be a server, a terminal device, a router, a terminal device, a mobile phone, a tablet computer, a wearable device, or any other device capable of configuring network access, which is not limited in this embodiment of the present application, and practical application , the implementation form of the distribution network platform gateway 141 can be determined in combination with the application scenario of the system. In an example, when the system is applied to smart home life, considering that the home environment has the characteristics of small area and frequent activities, the use of the distribution network platform gateway 141 that occupies a large space will affect the normal home life, and the distribution network platform The gateway 141 can be implemented as a router, a terminal device, a mobile phone, a tablet computer, a wearable device, and the like. Optionally, the number of distribution network platform gateways 141 may be one or multiple, which is not limited in this embodiment of the present application. Generally, for the consideration of resource saving and other aspects, the number of distribution network platform gateways 141 is one. .

The device 12 to be authenticated is developed based on the device platform cloud 16 , and the license key Kc of the device 12 to be authenticated is stored in the device platform cloud 16 .

A communication link exists between the distribution network platform cloud 142 and the device platform cloud 16 . Optionally, the distribution network platform cloud 142 sends the information required in the access authentication process of the device 12 to be authenticated to the device platform cloud 16; required information.

The above-mentioned distribution network platform cloud 142 and device platform cloud 16 are cloud computing resource pools in the field of cloud technology, and multiple types of virtual resources are deployed in the resource pools for external customers to choose and use. The cloud computing resource pool mainly includes: computing devices (which are virtualized machines, including operating systems), storage devices, and network devices. It can be an independent physical server, a server cluster or a distributed system composed of multiple physical servers, or a cloud service, cloud database, cloud computing, cloud function, cloud storage, network service, cloud communication, intermediate Cloud servers for basic cloud computing services such as software services, domain name services, security services, Content Delivery Network (CDN), and big data and artificial intelligence platforms.

Optionally, the system may further include a control device 18, and the distribution network platform gateway 141 and the control device 18 are connected through a wired or wireless network. The control device 18 is a device for the user to operate to control the distribution network platform gateway 141 . For example, the user can activate the distribution network platform gateway 141 by using the application program (Application) on the control device 18 . The control device 18 can be implemented as a terminal device, a mobile phone, a tablet computer, a wearable device, and the like.

In an example, the device 12 to be authenticated is a Zigbee device, and the network configuration platform gateway supports configuring a Zigbee network.

FIG. 2 shows a flowchart of an access authentication method provided by an exemplary embodiment of the present application. The method can be applied to the cross-platform access authentication system for smart devices as shown in FIG. 1 , and the method includes:

Step 201: The device to be authenticated broadcasts a beacon frame, and the beacon frame carries a first random number generated by the device to be authenticated.

The device to be authenticated is a device that supports the ability to access the network. Optionally, the equipment to be authenticated includes various types of household equipment (such as electric lamps), industrial assets (such as inspection equipment in a hospital), and the like. Exemplarily, the device to be authenticated is a Zigbee device.

A beacon frame is a command frame of the medium access control (Medium Access Control, MAC) layer. The beacon frame is mainly used in the process of joining and rejoining the device to be authenticated. In the embodiment of the present application, the device to be authenticated inquires the network that can be joined by broadcasting the beacon frame. Optionally, the device to be authenticated starts broadcasting beacon frames when it enters the network distribution mode. Optionally, the device to be authenticated automatically enters the network distribution mode when it is turned on for the first time, or the device to be authenticated is operated by the user to passively trigger entry. Distribution network mode.

The beacon frame carries a first random number, the first random number is a random number (Nonce) generated by the device to be authenticated, and the first random number is used to ensure the security of the first access authentication. Optionally, the length of the first random number is 4 bytes.

Optionally, the beacon frame also carries a device ID (DeviceID), where the device ID is used to identify the type of the device to be authenticated, and the device ID may be 2 bytes. Optionally, the beacon frame also carries a company identifier (Company Identifier, CID), which is used to identify the manufacturer to which the device to be authenticated belongs, and the manufacturer identifier may be 3 bytes. Optionally, the beacon frame also carries a device address identifier, the device address identifier is used to identify the MAC address of the device to be authenticated, the device address identifier is used to uniquely identify a device to be authenticated, and the device address identifier can be a 64-bit address. Exemplarily, the device address is identified as an Extended Unique Identifier (EUI).

Step 202, the distribution network platform gateway receives the beacon frame.

The distribution network platform gateway is a device with the ability to configure the network. Optionally, the network distribution platform gateway may be a server, a terminal device, a router, a terminal device, a mobile phone, a tablet computer, a wearable device, or other devices capable of configuring network access. Exemplarily, the distribution network platform gateway supports configuring a Zigbee network.

Since the device to be authenticated broadcasts the beacon frame, the distribution network platform gateway can receive the beacon frame broadcast by the device to be authenticated. Optionally, the distribution network platform gateway receives the beacon frame broadcast by the device to be authenticated in the form of channel scanning. Optionally, the distribution network platform gateway has formed a network. Optionally, the network formed by the distribution network platform gateway is identified by a personal area network identifier (PAN ID).

Step 203, the distribution network platform gateway interacts with the device platform cloud through the distribution network platform cloud to obtain the authentication terminal trust center link key.

The device platform cloud is the cloud server corresponding to the development of the device to be certified. That is, the device platform cloud is a cloud server corresponding to the manufacturer to which the device to be authenticated belongs.

The distribution network platform cloud is the cloud server corresponding to the distribution network platform gateway.

Optionally, the interaction between the distribution network platform gateway and the device platform cloud through the distribution network platform cloud refers to: the distribution network platform gateway sends the message A to the distribution network platform cloud, and the distribution network platform cloud forwards the message A to the device platform cloud; or, The device platform cloud sends message B to the distribution network platform cloud, and the distribution network platform cloud forwards the message B to the distribution network platform gateway.

The authentication side trust center link key (TrustCenterLinkKey, TCLK) is a key generated based on the first random number and the license key. Optionally, the authentication end trust center link key is generated by the distribution network platform gateway, or generated by the device platform cloud. That is, the authentication end trust center link key is a key generated by the gateway side of the distribution network platform or the cloud side of the device platform and used for the first access authentication.

Step 204, the device to be authenticated generates a device-side trust center link key based on the first random number and the license key.

The license key is the key stored in the device to be authenticated and in the device platform cloud. Optionally, the license key is pre-programmed in the secure storage area of the device to be authenticated when it leaves the factory. Optionally, the device platform cloud stores a relationship table between the device address identifier of the device to be authenticated and the license key.

The device to be authenticated generates the device-side trust center link key based on the first random number generated by itself and the stored license key. The device-side trust center link key is a key generated by the device to be authenticated and used for the first access authentication.

It can be understood that, this embodiment of the present application does not limit the implementation order of step 203 and step 204 .

Step 205: The distribution network platform gateway and the device to be authenticated use the authentication-side trust center link key and the device-side trust center link key respectively to perform first access authentication.

After the device to be authenticated generates the device-side trust center link key, and the distribution platform gateway obtains the authentication-side trust center link key, the distribution platform gateway and the device to be authenticated use the authentication-side trust center link key and the device-side trust center respectively. The link key is used for the first access authentication.

Optionally, if the device-side trust center link key generated by the device to be authenticated is the same as the authentication-side trust center link key obtained by the distribution network platform gateway, the first access authentication is successful. Optionally, after the first access authentication is successful, the device to be authenticated can join the network formed by the distribution network platform gateway.

To sum up, in the method provided in this embodiment, the beacon frame broadcast by the device to be authenticated carries the first random number, and the first random number is used to generate the first access authentication between the distribution network platform gateway and the device to be authenticated The required authentication side trust center link key and device side trust center link key, and the first random number is dynamically generated each time the first access authentication is performed to ensure the security of the first access authentication. In addition, in the embodiment of the present application, the distribution network platform gateway interacts with the device platform cloud through the distribution network platform cloud, obtains the authentication terminal trust center link key required for the first access authentication, and then configures the network platform by the distribution network platform gateway. The gateway and the device to be authenticated use the authentication-side trust center link key and the device-side trust center link key to perform the first access authentication, thereby realizing the cross-platform access authentication of the device to be authenticated and expanding the access of the device to be authenticated. Authentication implementation scenarios.

In the optional embodiment based on FIG. 2 , the process of performing the first access authentication on the side of the device to be authenticated includes: the device to be authenticated obtains a network key (NetworkKey) based on the device-side trust center link key, and the network key is used for Data at the network layer is encrypted after the first access authentication. That is, the device to be authenticated obtains the correct network key by executing the first access procedure, so as to join the network.

Hereinafter, the process of the first access authentication is exemplarily described.

FIG. 3 shows a flowchart of an access authentication method provided by an exemplary embodiment of the present application. The method can be applied to the cross-platform access authentication system for smart devices as shown in FIG. 1 , and the method includes:

Step 301, the device to be authenticated broadcasts a beacon frame, and the beacon frame carries a first random number, a device identifier, a manufacturer identifier, and a device address identifier.

Optionally, the beacon frame is an enhanced beacon (EnhanceBeacon) frame. The enhanced beacon frame is specified in IEEE802.15.4, which is different from the conventional beacon frame. For the specific format of the enhanced beacon frame, see Table 1 above.

Optionally, the enhanced beacon frame carries the first random number, the device identification, the manufacturer identification and the device address identification. Wherein, the first random number, device identification and manufacturer identification are filled in the header information element (HeaderIEs) of the enhanced beacon frame, and the device address identification is filled in the beacon payload (Beacon Payload) of the enhanced beacon frame.

In a possible implementation manner, step 301 is alternatively implemented as: the device to be authenticated broadcasts the enhanced beacon frame. In another possible implementation manner, step 301 is alternatively implemented as: the device to be authenticated alternately broadcasts the enhanced beacon frame and the regular beacon frame, so as to realize the compatibility of the regular beacon frame.

Step 302, the distribution network platform gateway receives the beacon frame.

Optionally, the beacon frame is an enhanced beacon frame, and the distribution network platform gateway receives the enhanced beacon frame broadcast by the device to be authenticated, and obtains the first random number, device identification, manufacturer identification and device address identification from the enhanced signal frame.

Step 303, the distribution network platform gateway sends a beacon response to the device to be authenticated.

Among them, the beacon response is used to respond to the beacon frame. Optionally, the beacon response carries the PAN ID of the network constructed by the distribution network platform gateway. Optionally, when the network configuration platform gateway agrees that the device to be authenticated joins the network, the network configuration platform gateway sends a beacon response to the device to be authenticated.

Optionally, the beacon frame carries a device identifier, and the device identifier is used to identify the type of the device to be authenticated. Before sending the beacon response, the distribution network platform gateway will also perform the following steps: send the device identification to the control device, and the control device is used to control the distribution network platform gateway; receive the access request sent by the control device, and the access request is used to trigger the configuration The network platform gateway feeds back the beacon response, and the beacon response is used to respond to the beacon frame.

Exemplarily, the distribution network platform gateway is a router, and the control terminal is a mobile phone used by a user. After receiving the beacon frame, the network distribution platform gateway sends the device identification in the beacon frame to the mobile phone, and the mobile phone broadcasts the type of the device to be authenticated corresponding to the device identification, such as: the device to be authenticated corresponding to the device identification The type of the device is a temperature sensor. The user learns the type of the device to be authenticated by broadcasting, and controls the mobile phone to send an access request. After receiving the access request, the distribution network platform gateway sends a beacon to the device to be authenticated according to the instructions of the access request. response.

Step 304, the device to be authenticated receives a beacon response.

Optionally, the device to be authenticated determines that there is a network that can be joined at the gateway of the distribution network platform by receiving a beacon response, and the network is identified by a PAN ID.

Step 305, the device to be authenticated sends an association request to the distribution network platform gateway.

Among them, the association request (association request) is used to request access to the network constructed by the distribution network platform gateway.

Optionally, after receiving the beacon response, if the device to be authenticated chooses to access the network constructed by the distribution network platform gateway, the device to be authenticated sends an association request to the distribution network platform gateway.

Step 306, the distribution network platform gateway receives the association request.

Step 307, the distribution network platform gateway sends an association response to the device to be authenticated.

Among them, the association response (association response) is used to respond to the association request. After receiving the association request sent by the device to be authenticated, the distribution network platform gateway unicasts an association response to the device to be authenticated.

Optionally, the association response carries the network address (network address) assigned by the network configuration platform gateway to the device to be authenticated. The network address is a 16-bit short address, and the network address is used to uniquely identify the device to be authenticated in the network constructed by the distribution network platform gateway.

Step 308, the device to be authenticated receives an association response.

Step 309, the distribution network platform gateway interacts with the device platform cloud through the distribution network platform cloud to obtain the authentication terminal trust center link key.

The specific manner in which the distribution network platform gateway obtains the authentication terminal trust center link key is shown in the corresponding embodiment in FIG. 4 , which will not be repeated here.

Step 310, the device to be authenticated generates a device-side trust center link key based on the first random number and the license key.

In a possible implementation manner, the device to be authenticated uses the generated device-side installation code as the device-side trust center link key. That is, step 310 includes: the device to be authenticated adopts the first key generation algorithm, processes the first random number and the license key, generates a device-side installation code, and uses the device-side installation code as the device-side trust center link key. Optionally, the first key generation algorithm is a symmetric encryption algorithm, and the first key generation algorithm includes: an Advanced Encryption Standard (Advanced Encryption Standard, AES)-MMO (Matyas-Meyer-Oseas) hash algorithm.

Exemplarily, TCLK=InstallCode=AES-MMO(Kc|R1). Wherein, TCLK is the device-side trust center link key, InstallCode is the device-side installation code, Kc is the license key, and R1 is the first random number.

In another possible implementation manner, after the device to be authenticated generates the device-side installation code, the device-side installation code is further processed to obtain the device-side trust center link key. That is, step 310 includes: the device to be authenticated adopts the first key generation algorithm, processes the first random number and the license key, and generates a device-side installation code; adopts the second key generation algorithm to perform a device-side installation code Process to generate the device-side trust center link key. Optionally, the first key generation algorithm and the second key algorithm are symmetric encryption algorithms, the first key generation algorithm includes: AES-MMO hash algorithm; the second key generation algorithm includes: AES-MMO hash algorithm .

Exemplarily, InstallCode=AES-MMO(Kc|R1), TCLK=AES-MMO(Install Code). Wherein, TCLK is the device-side trust center link key, InstallCode is the device-side installation code, Kc is the license key, and R1 is the first random number.

It can be understood that, in the above two implementation manners, since the first random number is a random number generated each time the device to be authenticated attempts to access the network, the device-side installation code is dynamically generated, so that the device-to-be-authenticated device is installed according to the device-side installation code. The device-side trust center link key determined by the code is also dynamically generated.

Step 311: The distribution network platform gateway sends encryption key information to the device to be authenticated, where the encryption key information is information obtained by encrypting the network key according to the authentication terminal trust center link key.

The network key is a random string generated by the distribution platform gateway when building the network. Optionally, all network access devices in the network share the same network key.

After obtaining the authentication terminal trust center link key, the distribution network platform gateway uses the authentication terminal trust center link key to encrypt the network key, obtains encryption key information, and sends the encryption key information to the device to be authenticated for use. The device to be authenticated obtains the network key from the encryption key information.

Step 312, the device to be authenticated receives the encryption key information.

Step 313, the device to be authenticated uses the device-side trust center link key to process the encryption key information to obtain a network key.

Network keys are used to encrypt data at the network layer. Optionally, after the device to be authenticated obtains the network key, it communicates with the network distribution platform gateway based on the network key.

Since the encryption key information is the information obtained by the distribution network platform gateway encrypting the network key according to the authentication side trust center link key, the device side trust center link key generated on the device side to be authenticated is the same as the authentication side trust center link key. If the keys are equal, the device to be authenticated can use the device-side trust center link key to process the encrypted key information to obtain the correct network key.

Step 314, the device to be authenticated broadcasts a device declaration message.

The device announcement broadcast message is used to indicate that the device to be authenticated has connected to the network constructed by the distribution network platform gateway.

Step 315, the distribution network platform gateway receives the device declaration message.

The distribution network platform gateway receives the device declaration message broadcast by the device to be authenticated.

To sum up, in the method provided in this embodiment, the beacon frame broadcast by the device to be authenticated is the enhanced beacon frame. Since there are fields in the enhanced beacon frame that can be customized by the manufacturer to which the device to be authenticated belongs, it is convenient to use the enhanced beacon frame. The standard frame carries the first random number, the device identification, the manufacturer identification and the device address identification, so as to ensure the subsequent execution of the first access authentication process.

At the same time, in the method provided by this embodiment, the distribution network platform gateway obtains the authentication terminal installation code from the device cloud platform, without requiring the user to manually input or scan, and then the user sends the authentication terminal installation code to the device cloud platform, reducing human interaction. Improve the efficiency of access authentication.

Hereinafter, an exemplary description will be given of the manner in which the distribution network platform gateway obtains the authentication terminal trust center link key in step 309 .

FIG. 4 shows a flowchart of an access authentication method provided by an exemplary embodiment of the present application. The method can be applied to the cross-platform access authentication system for smart devices as shown in FIG. 1 , and the method includes:

Step 3091, the distribution network platform gateway sends an installation code request to the device platform cloud through the distribution network platform cloud.

The installation code request carries a device address identifier and a first random number, the first random number is used for the device platform cloud to generate the authentication terminal installation code, and the device address identifier is used to identify the MAC address of the device to be authenticated.

Optionally, the installation code request also carries the manufacturer identifier. The distribution network platform gateway sends an installation code request to the distribution network platform cloud, and the distribution network platform cloud determines the device platform cloud according to the manufacturer's identification, and forwards the installation code request to the device platform cloud.

Step 3092, the device platform cloud receives the installation code request.

The source address of the installation code request is the distribution network platform gateway, and the installation code request carries the device address identifier and the first random number corresponding to the device to be authenticated.

Optionally, the device platform cloud receives an installation code request whose source address is the distribution network platform gateway from the distribution network platform cloud.

Step 3093, the device platform cloud generates an authentication terminal installation code based on the first random number.

Optionally, step 3093 includes: the device platform cloud determines the license key corresponding to the device to be authenticated according to the device address identifier; uses the first key generation algorithm to process the first random number and the license key to generate the authentication terminal installation. code.

Optionally, a relationship table between the device address identifier and the license key is stored in the device platform cloud, and the device platform cloud searches the relationship table according to the device address identifier to determine the license key corresponding to the device to be authenticated. Optionally, the first key generation algorithm is a symmetric encryption algorithm, and the first key generation algorithm includes: AES-MMO hash algorithm.

Exemplarily, InstallCode'=AES-MMO(Kc|R1). Among them, InstallCode' is the installation code of the authentication terminal, Kc is the license key, and R1 is the first random number.

Step 3094, the device platform cloud sends an installation code response, and the destination address of the installation code response is the distribution network platform gateway.

The installation code response carries the authentication terminal installation code, and the authentication terminal installation code is used for the distribution network platform gateway to determine the authentication terminal trust center link key.

Optionally, the device platform cloud sends an installation code response to the distribution network platform cloud, and the distribution network platform cloud forwards the installation code response to the distribution network platform gateway.

Step 3095, the distribution network platform gateway receives the installation code response.

Optionally, the distribution network platform gateway receives the installation code response whose source address is the device platform cloud through the distribution network platform cloud.

Step 3096: Based on the installation code response, the distribution network platform gateway determines the authentication terminal trust center link key.

In a possible implementation manner, the distribution network platform gateway uses the obtained authentication side installation code as the device side trust center link key.

In another possible implementation manner, after obtaining the installation code of the authentication terminal, the distribution network platform gateway further processes the installation code of the authentication terminal to obtain the link key of the trust center of the authentication terminal. Step 3096 includes: the distribution network platform gateway uses the second key generation algorithm to process the installation code of the authentication terminal to generate a trust center link key of the authentication terminal. Optionally, the second key generation algorithm is a symmetric encryption algorithm, and the second key generation algorithm includes: AES-MMO hash algorithm.

Exemplarily, TCLK'=AES-MMO (Install Code'). Among them, TCLK' is the authentication terminal trust center link key, and InstallCode' is the authentication terminal installation code.

To sum up, in the method provided in this embodiment, the device-side installation code and the authentication-side installation code are generated by the device to be authenticated and the distribution network platform gateway based on the first random number, because the first random number is the device to be authenticated every time. If the random number is generated when trying to access the network, the device-side installation code is dynamically generated, so the device-side trust center link key determined by the device to be authenticated according to the device-side installation code is also dynamically generated, avoiding the need for the device-side installation code to be fixed. The risk of device-side installation code leakage caused by the change.

Optionally, in the optional embodiment based on FIG. 2 , after the first access authentication, the device to be authenticated will perform the second access authentication based on the second random number generated by the device platform cloud.

Below, the second access authentication process is exemplarily described.

Fig. 5 shows a flowchart of an access authentication method provided by an exemplary embodiment of the present application. The method can be applied to the cross-platform access authentication system for smart devices as shown in FIG. 1 , and the method includes:

Step 501: The distribution network platform gateway sends a random number writing request to the custom cluster of the device to be authenticated, and the random number writing request carries a second random number.

The second random number is a random number generated by the device platform cloud. Optionally, the distribution network platform gateway obtains the second random number from the installation code response whose source address is the device platform cloud.

A custom cluster is a cluster (Cluster) defined by the manufacturer to which the device to be authenticated belongs. The cluster of devices to be authenticated supports access by the distribution network platform gateway, and the access types include: write, return after write, read, etc. Optionally, step 501 includes: the configuration network platform gateway obtains the access type of the custom cluster; in response to the access type of the custom cluster being return after write, sending a random number write request to the custom cluster. When the access type of the custom cluster is return after write, it is convenient for the distribution network platform gateway to receive the returned device-side authentication key from the device to be authenticated after sending the random number write request.

Step 502, the device to be authenticated receives a random number writing request.

The random number writing request carries the second random number.

Step 503, the device to be authenticated generates a device-side authentication key based on the second random number.

The device-side authentication key is used to perform second access authentication of the device to be authenticated.

Optionally, step 503 includes: the device to be authenticated uses a third key generation algorithm to process the second random number and the license key to generate a device-side authentication key. Optionally, the third key generation algorithm is a symmetric encryption algorithm, and the third key generation algorithm includes: AES-MMO hash algorithm.

Exemplarily, Auth=AES-MMO(Kc|R2). Among them, Auth is the device-side authentication key, Kc is the license key, and R2 is the second random number.

Optionally, after generating the device-side authentication key, the device to be authenticated stores the device-side authentication key in the attribute of the custom cluster. The custom cluster includes at least one attribute (Attribute), and the attribute is a data entity reflecting the state or property of the device to be authenticated. In this embodiment of the present application, the attribute is used to store the device-side authentication key corresponding to the device to be authenticated. Optionally, the access type of the custom cluster is return after write.

Step 504, the device to be authenticated sends the device-side authentication key to the distribution network platform gateway.

After generating and storing the device-side authentication key, the device to be authenticated sends the device-side authentication key to the distribution network platform gateway.

Step 505: The distribution network platform gateway receives the device-side authentication key.

Step 506, the distribution network platform gateway sends an authentication device request to the device platform cloud through the distribution network platform cloud, where the authentication device request carries the device address identifier and the device-side authentication key.

The authentication device request is used to request the device platform cloud to perform second access authentication.

Optionally, the authentication device request also carries the manufacturer identifier. The distribution network platform gateway sends an authentication device request to the distribution network platform cloud, and the distribution network platform cloud determines the device platform cloud according to the manufacturer's identification, and forwards the authentication device request to the device platform cloud.

Step 507, the device platform cloud receives the authentication device request.

The source address requested by the authentication device is the distribution network platform gateway, the authentication device request carries the device address identifier and the device-side authentication key, and the device-side authentication key is a key generated by the device to be authenticated based on the second random number. Optionally, the device platform cloud receives an authentication device request whose source address is the distribution network platform gateway from the configuration network platform cloud.

Step 508: The device platform cloud performs second access authentication on the device-side authentication key according to the second random number.

The second random number is a random number generated by the device platform cloud. Optionally, the length of the second random number is 4 bytes.

Optionally, step 508 includes: the device platform cloud determines the license key corresponding to the device to be authenticated according to the device address identifier; uses a third key generation algorithm to process the second random number and the license key to generate a cloud authentication key. key; verify the cloud authentication key and the device-side authentication key to determine the authentication result.

Optionally, a relationship table between the device address identifier and the license key is stored in the device platform cloud, and the device platform cloud searches the relationship table according to the device address identifier to determine the license key corresponding to the device to be authenticated. Optionally, the third key generation algorithm is a symmetric encryption algorithm, and the third key generation algorithm includes: AES-MMO hash algorithm.

Exemplarily, Auth'=AES-MMO(Kc|R2). Among them, Auth' is the cloud authentication key, Kc is the license key, and R2 is the second random number.

Exemplarily, if the cloud authentication key is equal to the device authentication key, the authentication result is authentication success; if the cloud authentication key and the device authentication key are not equal, the authentication result is authentication failure.

Step 509, the device platform cloud sends the authentication result, and the destination address of the authentication result is the gateway of the distribution network platform.

Optionally, the device platform cloud sends the authentication result to the distribution network platform cloud, and the distribution network platform cloud forwards the authentication result to the distribution network platform gateway.

Step 510, the distribution network platform gateway receives the authentication result.

Optionally, the distribution network platform gateway receives the authentication result whose source address is the device platform cloud through the distribution network platform cloud.

Optionally, after receiving the authentication result, the distribution network platform gateway will also perform any one of the following steps: in response to the authentication result being that the authentication is successful, update the authentication end trust center link key; in response to the authentication result being the authentication failure, Add the device to be authenticated to the device blacklist. The device blacklist is used to record the devices that fail to configure the network. Optionally, the devices to be authenticated in the device blacklist are removed from the network constructed by the distribution network platform gateway.

It can be understood that, since in the first access authentication process, the verified authentication side trust center link key is equal to the device side trust center link key, and the device to be authenticated has joined the network constructed by the distribution network platform gateway, so, After successful authentication, the distribution network platform gateway updates the authentication end trust center link key, which means that the distribution network platform gateway and the device to be authenticated synchronously update the trust center link key on both sides.

To sum up, in the method provided by this embodiment, after the first access verification, the second random number generated by the device platform cloud is used to generate the cloud authentication key and the device end authentication key, and the cloud authentication key and the device end authentication key are generated using the cloud authentication key and the device end authentication key. The authentication key performs the second access verification on the device to be authenticated. Compared with only performing the one-way first access verification, the second access verification implements two-way verification, which further improves the reliability of the access verification.

Hereinafter, the solutions shown in the present application will be exemplarily described with reference to the following examples. In this embodiment, the device to be authenticated is a Zigbee device, and the network distribution platform gateway is configured with a Zigbee network.

In the following embodiment, CID represents the manufacturer's identity, R1 represents the first random number, Device ID represents the device identity, EUI represents the device address identity, R2 represents the second random number, Kc represents the license key, and Install Code represents the installation on the device side. Code, Install Code' represents the installation code of the authentication side, TCLK represents the trust center link key of the device side, TCLK' represents the trust center link key of the authentication side, Network Key represents the network key, Auth represents the authentication key of the device side, Auth' represents the The cloud authentication key is exemplified.

FIG. 6 shows a flowchart of an access authentication method provided by an exemplary embodiment of the present application. The method can be applied to the cross-platform access authentication system for smart devices as shown in FIG. 1 , and the method includes:

Step 61, the network distribution platform gateway builds a Zigbee network.

The distribution network platform gateway is a device capable of configuring Zigbee network.

Step 62, the user activates the distribution network platform gateway through the APP or voice.

Step 63, the distribution network platform gateway executes the access permission.

Optionally, the distribution network platform performs permission access by broadcasting a permission access (Permit Join) message.

Step 64, the distribution network platform gateway performs channel scanning.

Step 65, the Zigbee device uses the enhanced beacon frame format, fills the CID|R1|Device ID in the header information element, and fills the EUI in the beacon payload.

Optionally, the element ID (ElementID) of the enhanced beacon frame is 0x00. Optionally, CID is 3 bytes, R1 is 4 bytes, and DeviceID is 2 bytes.

Step 66, the distribution network platform gateway broadcasts the enhanced beacon frame, which carries the data CID|R1|Device ID|EUI.

Optionally, any one of the following two broadcasting modes is adopted: only the enhanced beacon frame is broadcast; or, the enhanced beacon frame and the regular beacon frame are broadcast alternately, which is compatible with the regular beacon frame.

Step 67, the distribution network platform gateway returns the Device ID.

Optionally, DeviceID is a 16-bit identifier used to identify the device type.

Step 68, the user side broadcasts the device type.

Optionally, the user side determines the device type of the Zigbee device according to the Device ID, and broadcasts it.

Step 69, the user performs input: connect the device.

After obtaining the device type of the Zigbee device, the user side sends an access request to the distribution network platform gateway.

Step 610, the distribution network platform gateway sends a beacon response to the Zigbee device.

The beacon response is used to respond to the enhanced beacon frame broadcast by the Zigbee device.

Step 611, the Zigbee device sends an association request to the distribution network platform gateway.

The association request is used to request access to the Zigbee network constructed by the distribution network platform gateway.

Step 612, the distribution network platform gateway sends an association response to the Zigbee device.

Association Responses are used to respond to association requests. Optionally, the association response carries the network address allocated to the Zigbee device by the network configuration platform gateway.

Step 613, the distribution network platform gateway sends an installation code request, which carries the data CID|R1|EUI.

Step 613.1, the distribution network platform cloud queries the device platform cloud according to the CID.

The distribution network platform cloud can know that the Zigbee device does not belong to the distribution network platform cloud through the CID, and obtain the cloud platform information of the corresponding manufacturer according to the CID.

Step 613.2, the distribution network platform cloud sends an installation code request to the device platform cloud, carrying the data R1|EUI.

Step 613.3, the device platform cloud finds the device Kc according to the EUI, generates Install Code'=AES-MMO(Kc|R1), and generates a random number R2.

Optionally, a correspondence table between EUI and Kc is stored in the device platform cloud.

Step 613.4, the device platform returns an installation code response to the distribution network platform cloud, carrying the data Install Code' and R2.

Step 614, the distribution network platform cloud returns an installation code response to the distribution network platform gateway, carrying the data Install Code' and R2.

Step 615, the distribution network platform gateway generates TCLK'=AES-MMO (Install Code').

After obtaining the Install Code', the distribution network platform gateway generates TCLK' according to the Install Code'.

Optionally, the distribution network platform gateway establishes and stores a correspondence table between EUI and TCLK'.

Step 616, the Zigbee device generates Install Code=AES-MMO(Kc|R1), TCLK=AES-MMO(Install Code).

Among them, Kc can only be stored in Zigbee device and device platform cloud.

Step 617, the network distribution platform gateway and the Zigbee device establish a network layer security channel through TCLK, and transmit the Network Key.

The distribution network platform gateway encrypts the NetworkKey through TCLK' and sends the encrypted data to the Zigbee device.

Step 618, the Zigbee device obtains the Network Key.

If the InstallCode of the Zigbee device is inconsistent with the InstallCode' of the device platform cloud, it cannot access the Zigbee network established by the distribution platform gateway; only the InstallCode of the Zigbee device is consistent with the InstallCode' of the device platform cloud, the Zigbee device can get the correct NetworkKey .

Step 619, the distribution network platform gateway and the Zigbee device perform device announcement broadcast.

Device announcement (Deviceannounce) broadcast is used to indicate that Zigbee devices access the Zigbee network constructed by the distribution network platform gateway.

Step 620, the distribution network platform gateway sends a random number write request, carrying the data R2.

Optionally, the network configuration platform gateway obtains the access type of the custom cluster of the Zigbee device; in response to the access type of the custom cluster being write-return (W*R), a random number write request is sent to the custom cluster.

Step 621, the Zigbee device generates Auth=AES-MMO(Kc|R2), and stores the Auth in the attribute of the custom cluster.

Step 622, the Zigbee device returns Auth to the distribution network platform gateway.

Step 623, the distribution network platform gateway sends an authentication device request to the distribution network platform cloud, carrying the data CID|Auth|EUI.

Step 623.1, the distribution network platform cloud queries the device platform cloud according to the CID.

Step 623.2, the distribution network platform cloud sends an authentication device request to the device platform cloud, carrying the data Auth|EUI.

Step 623.3, the device platform cloud finds the device Kc according to the EUI, generates the device Auth'=AES-MMO(Kc|R2), and verifies the Auth' and Auth.

Optionally, a correspondence table between EUI and Kc is stored in the device platform cloud. If Auth'=Auth, the authentication is successful, otherwise it fails.

Step 623.4, the device platform cloud returns the authentication result to the distribution network platform cloud.

Step 624, the distribution network platform cloud returns the authentication result to the distribution network platform gateway.

Step 625: If the authentication fails, the distribution network platform gateway adds a device blacklist.

The device blacklist is used to record the devices that fail to configure the network. Optionally, the Zigbee devices in the device blacklist are removed from the Zigbee network constructed by the distribution network platform gateway.

If the authentication of the distribution network platform gateway is successful, go to the next step.

Step 626, the distribution network platform gateway and the Zigbee device update the TCLK to establish a normal connection.

Optionally, the updated TCLK is used to encrypt application support layer (Application Support Sublayer, APS) data transmission.

In the embodiment corresponding to FIG. 6 , the authentication end trust center link key is generated on the gateway side of the distribution network platform. In another possible implementation manner, the authentication end trust center link key is generated on the cloud side of the device platform.

FIG. 7 shows a flowchart of an access authentication method provided by an exemplary embodiment of the present application. The method can be applied to the cross-platform access authentication system for smart devices as shown in FIG. 1 . On the basis of Figure 6, the following steps of the method are adjusted:

Step 713.3, the device platform cloud finds the device Kc according to the EUI, generates TCLK'=AES-MMO(Kc|R1), and generates a random number R2.

InstallCode' is implicitly represented by the combination of Kc|R1, TCLK'=InstallCode'=AES-MMO(Kc|R1).

Step 713.4, the device platform returns an installation code response to the distribution network platform cloud, carrying the data TCLK' and R2.

Step 714, the distribution network platform cloud returns an installation code response to the distribution network platform gateway, carrying the data TCLK' and R2.

Step 715, the distribution network platform gateway establishes a correspondence table between EUI and TCLK'.

Step 716, the Zigbee device generates TCLK=AES-MMO(Kc|R1).

Among them, Kc can only be stored in Zigbee device and device platform cloud.

It can be understood that, other steps in FIG. 7 refer to the above-mentioned embodiments, and are not repeated here.

To sum up, in the method provided in this embodiment, the authentication-side trust center link key and the device-side trust center link key are directly generated based on the first random number and the license key, and there is no need to install the authentication-side installation code or the device-side installation code. The code is further processed, which improves the efficiency of access authentication for Zigbee devices.

It should be noted that, the foregoing method embodiments may be implemented separately, or may be implemented in combination, which is not limited in this application.

FIG. 8 shows a structural block diagram of an access authentication apparatus provided by an exemplary embodiment of the present application. The apparatus can be implemented as a device to be authenticated, or can be implemented as a part of the device to be authenticated. The device includes: a beacon frame broadcast module 801, key generation module 802 and first authentication module 803;

The beacon frame broadcasting module 801 is configured to broadcast a beacon frame, where the beacon frame carries the first random number generated by the device to be authenticated;

The key generation module 802 is configured to generate a device-side trust center link key based on the first random number and a license key, and the license key is stored in the device to be authenticated and the device platform cloud key;

The first authentication module 803 is configured to use the device-side trust center link key to perform first access authentication with the distribution network platform gateway.

In an optional embodiment, the first authentication module 803 is configured to obtain a network key based on the device-side trust center link key, where the network key is used in the first access authentication Then encrypt the data at the network layer.

In an optional embodiment, the first authentication module 803 is configured to receive encryption key information sent by the distribution network platform gateway, where the encryption key information is trusted by the distribution network platform gateway according to the authentication terminal The central link key is encrypted, and the authentication side trust center link key is generated by the distribution network platform gateway or the device platform cloud; the device side trust center link key is used to process the encryption key information to get the network key.

In an optional embodiment, the apparatus further includes: a device announcement broadcasting module; the device announcement broadcasting module is configured to broadcast a device announcement message, and the device announcement message is used to indicate that the device to be authenticated has accessed The network constructed by the distribution network platform gateway.

In an optional embodiment, the key generation module 802 is configured to use a first key generation algorithm to process the first random number and the license key, generate a device-side installation code, and The device-side installation code is used as the device-side trust center link key; or, the key generation module 802 is configured to use the first key generation algorithm to generate the first random number and the license The key is processed to generate the device-side installation code; the second key generation algorithm is used to process the device-side installation code to generate the device-side trust center link key.

In an optional embodiment, the first key generation algorithm includes: an AES-MMO hash algorithm; the second key generation algorithm includes: the AES-MMO hash algorithm.

In an optional embodiment, the beacon frame is an enhanced beacon frame, and the first random number is filled in a header information element field of the enhanced beacon frame.

In an optional embodiment, the beacon frame broadcasting module 801 is configured to broadcast the enhanced beacon frame; or, the beacon frame broadcasting module 801 is configured to alternately broadcast the enhanced beacon frame and Regular beacon frame.

In an optional embodiment, the beacon frame further carries a device identifier, where the device identifier is used to identify the type of the device to be authenticated.

In an optional embodiment, the beacon frame further carries a manufacturer identifier, where the manufacturer identifier is used to identify the manufacturer to which the device to be authenticated belongs.

In an optional embodiment, the beacon frame further carries a device address identifier, where the device address identifier is used to identify the MAC address of the device to be authenticated.

In an optional embodiment, the apparatus further includes: a beacon response receiving module and an association module; the beacon response receiving module is configured to receive a beacon response sent by the distribution network platform gateway, the beacon response The beacon response is used to respond to the beacon frame; the association module is used to send an association request to the distribution network platform gateway, and the association request is used to request access to the network constructed by the distribution network platform gateway; The association response sent by the distribution network platform gateway is used to respond to the association request.

In an optional embodiment, the apparatus further includes: a second authentication module; the second authentication module is configured to generate a device-side authentication key based on a second random number generated by the device platform cloud, the The device-side authentication key is used to perform the second access authentication of the device to be authenticated; the device-side authentication key is sent to the distribution network platform gateway.

In an optional embodiment, the second authentication module is configured to use a third key generation algorithm to process the second random number and the license key to generate the device-side authentication key .

In an optional embodiment, the third key generation algorithm includes: AES-MMO hash algorithm.

In an optional embodiment, the apparatus further includes: a request receiving module; the request receiving module is configured to receive a random number write sent by the distribution network platform gateway to the custom cluster of the device to be authenticated request, the random number writing request carries the second random number.

In an optional embodiment, the apparatus further includes: a key storage module; the key storage module is configured to store the device-side authentication key in the attribute of the custom cluster.

In an optional embodiment, the access type of the custom cluster is return after write.

FIG. 9 shows a structural block diagram of an access authentication apparatus provided by an exemplary embodiment of the present application. The apparatus may be implemented as a distribution network platform gateway, or may be implemented as a part of a distribution network platform gateway. The device includes: a beacon a frame receiving module 901, a key determining module 902 and a first authentication module 903;

The beacon frame receiving module 901 is configured to receive a beacon frame broadcast by a device to be authenticated, where the beacon frame carries a first random number generated by the device to be authenticated;

The key determination module 902 is configured to interact with the device platform cloud through the distribution network platform cloud to obtain the authentication end trust center link key, and the authentication end trust center link key is based on the first random number And a key generated by a license key, the license key is a key stored in the device to be authenticated and the device platform cloud;

The first authentication module 903 is configured to use the authentication terminal trust center link key to perform first access authentication with the device to be authenticated.

In an optional embodiment, the first authentication module 903 is configured to send encryption key information to the device to be authenticated, where the encryption key information is based on the authentication end trust center link key pair network Information obtained by encrypting the key, where the network key is used to encrypt data at the network layer after the first access authentication.

In an optional embodiment, the apparatus further includes: a device declaration receiving module; the device declaration receiving module is configured to receive a device declaration message sent by the to-be-authenticated device, where the device declaration message is used to indicate the The device to be authenticated has accessed the network constructed by the distribution network platform gateway.

In an optional embodiment, the beacon frame further carries a device address identifier of the device to be authenticated, and the device address identifier is used to identify the MAC address of the device to be authenticated; the key determining module 902 , which is used to send an installation code request to the device platform cloud through the distribution network platform cloud, where the installation code request carries the device address identifier and the first random number, and the first random number is used for The device platform cloud generates an installation code of the authentication terminal; through the distribution network platform cloud, an installation code response whose source address is the device platform cloud is received; based on the installation code response, the authentication terminal trust center link key is determined .

In an optional embodiment, the installation code response carries the authentication terminal installation code; the key determination module 902 is configured to use the authentication terminal installation code as the authentication terminal trust center link key; Or, the key determination module 902 is configured to use the second key generation algorithm to process the installation code of the authentication terminal to generate the authentication terminal trust center link key.

In an optional embodiment, the second key generation algorithm includes: an AES-MMO hash algorithm.

In an optional embodiment, the installation code response further carries a second random number generated by the device platform cloud.

In an optional embodiment, the apparatus further includes: an authentication request module; the authentication module is configured to send a random number write request to the custom cluster of the device to be authenticated, the random number write request Carrying a second random number, the second random number is obtained by the distribution network platform gateway from the installation code response whose source address is the device platform cloud; receiving the device-side authentication key sent by the device to be authenticated, the The device-side authentication key is used for the second access authentication of the device to be authenticated; an authentication device request is sent to the device platform cloud through the distribution network platform cloud, and the authentication device request carries the device address identifier and The device-side authentication key, and the device address identifier is used to identify the MAC address of the device to be authenticated.

In an optional embodiment, the authentication request module is configured to obtain the access type of the custom cluster; in response to the access type of the custom cluster being return after writing, send the custom cluster The random number write request described above.

In an optional embodiment, the apparatus further includes: an authentication result processing module; the authentication result processing module is configured to receive, through the distribution network platform cloud, an authentication result whose source address is the device platform cloud; In response to the authentication result being that the authentication is successful, update the authentication end trust center link key; in response to the authentication result being the authentication failure, add the device to be authenticated to the device blacklist, which is used for Record the devices that fail to configure the network.

In an optional embodiment, the apparatus further includes: a beacon response sending module and an association module; the beacon response sending module is configured to send a beacon response to the device to be authenticated, the beacon response is used to respond to the beacon frame; the association module is used to receive an association request sent by the device to be authenticated, and the association request is used to request access to the network constructed by the distribution network platform gateway; to the to-be-authenticated device The authentication device sends an association response, the association response being used to respond to the association request.

In an optional embodiment, the beacon frame further carries a device identifier, where the device identifier is used to identify the type of the device to be authenticated, and the apparatus further includes: an access request receiving module; the access request a request receiving module, configured to send the device identification to a control device, and the control device is used to control the distribution network platform gateway; receive an access request sent by the control device, the access request is used to trigger the The distribution network platform gateway feeds back a beacon response, where the beacon response is used to respond to the beacon frame.

FIG. 10 shows a structural block diagram of an access authentication apparatus provided by an exemplary embodiment of the present application. The apparatus may be implemented as a device platform cloud, or may be implemented as a part of the device platform cloud, and the apparatus includes: a key determination module 1001;

The key determination module 1001 is configured to interact with the distribution network platform gateway, so that the distribution network platform gateway obtains the authentication end trust center link key, and the authentication end trust center link key is generated according to the device to be authenticated The key generated by the first random number of the authentication end trust center link key is used to perform the first access authentication of the device to be authenticated.

In an optional embodiment, the key determination module 1001 is configured to receive an installation code request, the source address of the installation code request is the distribution network platform gateway, and the installation code request carries the to-be-authenticated The device address identifier corresponding to the device and the first random number, where the device address identifier is used to identify the MAC address of the device to be authenticated; based on the first random number, the authentication terminal installation code is generated; the installation code response is sent, The destination address of the installation code response is the distribution network platform gateway, the installation code response carries the authentication terminal installation code, and the authentication terminal installation code is used for the distribution network platform gateway to determine the authentication terminal trust. Central link key.

In an optional embodiment, the key determination module 1001 is configured to determine the license key corresponding to the device to be authenticated according to the device address identifier; A random number and the license key are processed to generate the authentication terminal installation code.

In an optional embodiment, the first key generation algorithm includes: an AES-MMO hash algorithm.

In an optional embodiment, the apparatus further includes: a second authentication module; the second authentication module is configured to receive an authentication device request, where the source address of the authentication device request is the distribution network platform gateway, The authentication device request carries a device address identifier and a device-side authentication key, the device-side authentication key is a key generated by the device to be authenticated based on a second random number, and the second random number is determined by the device platform Cloud generation; performing second access authentication on the device-side authentication key according to the second random number, and the device address identifier is used to identify the MAC address of the device to be authenticated.

In an optional embodiment, the second authentication module is configured to determine the license key corresponding to the device to be authenticated according to the device address identifier; use a third key generation algorithm to The random number and the license key are processed to generate a cloud authentication key; the cloud authentication key and the device-side authentication key are verified to determine the authentication result.

In an optional embodiment, the apparatus further includes: an authentication result sending module; the authentication result sending module is configured to send the authentication result, and the destination address of the authentication result is the distribution network platform gateway.

It should be noted that when the device provided in the above embodiment realizes its functions, only the division of the above functional modules is used as an example for illustration. In practical applications, the above functions can be allocated to different functional modules according to actual needs. The content structure of the device is divided into different functional modules to complete all or part of the functions described above.

Regarding the apparatus in the above-mentioned embodiment, the specific manner in which each module performs operations has been described in detail in the embodiment of the method, and will not be described in detail here.

FIG. 11 shows a schematic structural diagram of a computer device (such as a device to be authenticated, a distribution network platform gateway, or a device platform cloud) provided by an exemplary embodiment of the present application. The computer device includes: a processor 101 , a receiver 102 , and a transmitter 103 , memory 104 and bus 105 .

The processor 101 includes one or more processing cores, and the processor 101 executes various functional applications and information processing by running software programs and modules.

The receiver 102 and the transmitter 103 may be implemented as a communication component, which may be a communication chip.

The memory 104 is connected to the processor 101 through the bus 105 .

The memory 104 may be configured to store at least one instruction, and the processor 101 may be configured to execute the at least one instruction, so as to implement various steps in the foregoing method embodiments.

Additionally, memory 104 may be implemented by any type or combination of volatile or non-volatile storage devices including, but not limited to, magnetic or optical disks, electrically erasable programmable Read Only Memory (Electrically-Erasable Programmable Read Only Memory, EEPROM), Erasable Programmable Read Only Memory (EPROM), Static Random Access Memory (SRAM), Read Only Memory (Read-Only Memory, ROM), magnetic memory, flash memory, programmable read-only memory (Programmable Read-Only Memory, PROM).

In an exemplary embodiment, the computer device includes a processor, a memory, and a transceiver (the transceiver may include a receiver for receiving information and a transmitter for transmitting information) and a transmitter.

In a possible implementation manner, when the computer device is implemented as the device to be authenticated,

Wherein, when the computer device is implemented as the device to be authenticated, the processor and transceiver in the computer device involved in the embodiments of the present application may execute the method performed by the device to be authenticated in any of the methods shown in FIG. 2 to FIG. 5 above. The steps are not repeated here.

In a possible implementation, when the computer device is implemented as a distribution network platform gateway,

Wherein, when the computer device is implemented as a distribution network platform gateway, the processor and transceiver in the computer device involved in the embodiments of the present application may perform any of the methods shown in FIG. 2 to FIG. 5 above. The steps to be performed are not repeated here.

In one possible implementation, when the computer device is implemented as a device platform cloud,

Wherein, when the computer device is implemented as a device platform cloud, the processors and transceivers in the computer device involved in the embodiments of the present application may execute any of the methods shown in FIG. 2 to FIG. The steps are not repeated here.

In an exemplary embodiment, a computer-readable storage medium is also provided, and a computer program is stored in the computer-readable storage medium, and the computer program is loaded and executed by a processor to implement the methods provided by the foregoing method embodiments. An access authentication method performed by a computer device.

In an exemplary embodiment, a computer program product is also provided, which, when running on the processor of the computer device, causes the network device to execute the access authentication method described in the above aspects.

In an exemplary embodiment, a chip is also provided, the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a computer device, is used to implement the access authentication described in the above aspects method.

The above descriptions are only optional embodiments of the present application, and are not intended to limit the present application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present application shall be included in the protection of the present application. within the range.

Claims

An access authentication method, characterized in that it is applied to a device to be authenticated, the method comprising:

broadcasting a beacon frame, where the beacon frame carries the first random number generated by the device to be authenticated;

Based on the first random number and a license key, a device-side trust center link key is generated, and the license key is a key stored in the device to be authenticated and the device platform cloud;

Use the device-side trust center link key to perform first access authentication with the distribution network platform gateway.
The method according to claim 1, wherein the using the device-side trust center link key to perform first access authentication with the distribution network platform gateway comprises:

Obtain a network key based on the device-side trust center link key, where the network key is used to encrypt data at the network layer after the first access authentication.
The method according to claim 2, wherein the obtaining a network key based on the device-side trust center link key comprises:

Receive the encryption key information sent by the distribution network platform gateway, the encryption key information is encrypted by the distribution network platform gateway according to the authentication end trust center link key, and the authentication end trust center link key is obtained by the The distribution network platform gateway or the device platform cloud generation;

The encryption key information is processed using the device-side trust center link key to obtain the network key.
The method according to claim 2, wherein the method further comprises:

A device declaration message is broadcast, and the device declaration message is used to indicate that the device to be authenticated has accessed the network constructed by the distribution network platform gateway.
The method according to any one of claims 1 to 4, wherein the generating a device-side trust center link key based on the first random number and a license key, comprising:

Using a first key generation algorithm, the first random number and the license key are processed to generate a device-side installation code, and the device-side installation code is used as the device-side trust center link key;

or,

The first key generation algorithm is used to process the first random number and the license key to generate a device-side installation code; the second key generation algorithm is used to process the device-side installation code to generate the device-side installation code. The device-side trust center link key.
The method of claim 5, wherein:

The first key generation algorithm includes: Advanced Encryption Standard AES-MMO hash algorithm;

The second key generation algorithm includes: the AES-MMO hash algorithm.
The method according to any one of claims 1 to 4, wherein,

The beacon frame is an enhanced beacon frame, and the first random number is filled in a header information element field of the enhanced beacon frame.
The method according to claim 7, wherein the broadcast beacon frame comprises:

broadcasting the enhanced beacon frame;

or,

The enhanced beacon frames and regular beacon frames are broadcast alternately.
The method according to any one of claims 1 to 4, wherein,

The beacon frame also carries a device identifier, where the device identifier is used to identify the type of the device to be authenticated.
The method according to any one of claims 1 to 4, wherein,

The beacon frame also carries a manufacturer identifier, where the manufacturer identifier is used to identify the manufacturer to which the device to be authenticated belongs.
The method according to any one of claims 1 to 4, wherein,

The beacon frame also carries a device address identifier, where the device address identifier is used to identify the media access control MAC address of the device to be authenticated.
The method according to any one of claims 1 to 4, wherein the method further comprises:

receiving a beacon response sent by the distribution network platform gateway, where the beacon response is used to respond to the beacon frame;

sending an association request to the distribution network platform gateway, where the association request is used to request access to the network constructed by the distribution network platform gateway;

Receive an association response sent by the distribution network platform gateway, where the association response is used to respond to the association request.
The method according to any one of claims 1 to 4, wherein the method further comprises:

Generate a device-side authentication key based on the second random number generated by the device platform cloud, where the device-side authentication key is used to perform second access authentication of the device to be authenticated;

Send the device-side authentication key to the distribution network platform gateway.
The method according to claim 13, wherein the generating a device-side authentication key based on the second random number generated by the device platform cloud comprises:

Using a third key generation algorithm, the second random number and the license key are processed to generate the device-side authentication key.
The method of claim 14, wherein:

The third key generation algorithm includes: AES-MMO hash algorithm.
The method of claim 13, wherein the method further comprises:

Receive a random number writing request sent by the distribution network platform gateway to the custom cluster of the device to be authenticated, where the random number writing request carries the second random number.
The method of claim 16, wherein the method further comprises:

The device-side authentication key is stored in the attribute of the custom cluster.
The method of claim 16, wherein:

The access type of the custom cluster is return after write.
An access authentication method, characterized in that it is applied to a distribution network platform gateway, the distribution network platform gateway supports building a network, and a cloud server corresponding to the distribution network platform gateway is a distribution network platform cloud, and the method includes:

receiving a beacon frame broadcast by the device to be authenticated, where the beacon frame carries the first random number generated by the device to be authenticated;

Through the distribution network platform cloud, interact with the device platform cloud to obtain the authentication end trust center link key. The authentication end trust center link key is a key generated based on the first random number and the license key. The license key is a key stored in the device to be authenticated and the device platform cloud;

Perform first access authentication with the device to be authenticated by using the authenticator trust center link key.
The method according to claim 19, wherein the performing first access authentication with the device to be authenticated by using the authenticator trust center link key, comprising:

Send encryption key information to the device to be authenticated, where the encryption key information is information obtained by encrypting a network key according to the authentication end trust center link key, and the network key is used in the first After the access authentication, the data at the network layer is encrypted.
The method of claim 20, wherein the method further comprises:

A device declaration message sent by the device to be authenticated is received, where the device declaration message is used to indicate that the device to be authenticated has accessed the network constructed by the distribution network platform gateway.
The method according to any one of claims 19 to 21, wherein the beacon frame further carries a device address identifier of the device to be authenticated, and the device address identifier is used to identify media access of the device to be authenticated Control MAC address;

The step of interacting with the device platform cloud through the distribution network platform cloud to obtain the authentication terminal trust center link key includes:

Send an installation code request to the device platform cloud through the distribution network platform cloud, where the installation code request carries the device address identifier and the first random number, and the first random number is used for the device The platform cloud generates the installation code of the authentication terminal;

Through the distribution network platform cloud, receiving an installation code response whose source address is the device platform cloud;

Based on the installation code response, the authenticator trust center link key is determined.
The method according to claim 22, wherein the installation code response carries the authentication terminal installation code;

The determining of the authenticator trust center link key based on the installation code response includes:

Using the authentication terminal installation code as the authentication terminal trust center link key;

or,

Using the second key generation algorithm, the authentication terminal installation code is processed to generate the authentication terminal trust center link key.
The method of claim 23, wherein:

The second key generation algorithm includes: Advanced Encryption Standard AES-MMO hash algorithm.
The method of claim 22, wherein:

The installation code response also carries a second random number generated by the device platform cloud.
The method according to any one of claims 19 to 21, wherein the method further comprises:

Send a random number write request to the custom cluster of the device to be authenticated, the random number write request carries a second random number, and the second random number is sent by the distribution platform gateway from the source address to the device Obtained from the installation code response of the platform cloud;

receiving a device-side authentication key sent by the to-be-authenticated device, where the device-side authentication key is used to perform second access authentication of the to-be-authenticated device;

Send an authentication device request to the device platform cloud through the distribution network platform cloud, where the authentication device request carries a device address identifier and the device-side authentication key, and the device address identifier is used to identify the device to be authenticated the MAC address.
The method according to claim 26, wherein the sending a random number write request to the custom cluster of the device to be authenticated comprises:

Obtain the access type of the custom cluster;

In response to the access type of the custom cluster being return after write, the random number write request is sent to the custom cluster.
The method of claim 26, wherein the method further comprises:

receiving, through the distribution network platform cloud, the authentication result that the source address is the device platform cloud;

In response to the authentication result being that the authentication is successful, update the authentication terminal trust center link key;

In response to the authentication result being an authentication failure, the device to be authenticated is added to a device blacklist, where the device blacklist is used to record devices that fail to configure the network.
The method according to any one of claims 19 to 21, wherein the method further comprises:

sending a beacon response to the device to be authenticated, where the beacon response is used to respond to the beacon frame;

receiving an association request sent by the device to be authenticated, where the association request is used to request access to the network constructed by the distribution network platform gateway;

Send an association response to the device to be authenticated, where the association response is used to respond to the association request.
The method according to any one of claims 19 to 21, wherein the beacon frame further carries a device identifier, and the device identifier is used to identify the type of the device to be authenticated, and the method further comprises:

sending the device identification to a control device, where the control device is used to control the distribution network platform gateway;

Receive an access request sent by the control device, where the access request is used to trigger the distribution network platform gateway to feed back a beacon response, where the beacon response is used to respond to the beacon frame.
The method according to any one of claims 19 to 21, wherein,

The beacon frame is an enhanced beacon frame, and the first random number is filled in a header information element field of the enhanced beacon frame.
An access authentication method, characterized in that it is applied in a device platform cloud, wherein the device platform cloud is a cloud server of a manufacturer to which the device to be authenticated belongs, and the method includes:

interacting with the distribution network platform gateway, so that the distribution network platform gateway obtains the authentication end trust center link key, and the authentication end trust center link key is a key generated according to the first random number generated by the device to be authenticated, The authenticator trust center link key is used to perform first access authentication of the device to be authenticated.
The method according to claim 32, wherein the interaction with the distribution network platform gateway, so that the distribution network platform gateway obtains the authentication terminal trust center link key, comprises:

Receive an installation code request, where the source address of the installation code request is the distribution network platform gateway, and the installation code request carries the device address identifier corresponding to the device to be authenticated and the first random number, the device address identifier a media access control MAC address used to identify the device to be authenticated;

based on the first random number, generating an authentication terminal installation code;

Send an installation code response, the destination address of the installation code response is the distribution network platform gateway, the installation code response carries the authentication terminal installation code, and the authentication terminal installation code is used for the distribution network platform gateway to determine The authenticator trusts the center link key.
The method according to claim 33, wherein the generating an authentication terminal installation code based on the first random number comprises:

Determine the license key corresponding to the device to be authenticated according to the device address identifier;

Using a first key generation algorithm, the first random number and the license key are processed to generate the authentication terminal installation code.
The method of claim 34, wherein:

The first key generation algorithm includes: Advanced Encryption Standard AES-MMO hash algorithm.
The method of claim 33, wherein:

The installation code response also carries a second random number generated by the device platform cloud.
The method according to any one of claims 32 to 36, wherein the method further comprises:

Receive an authentication device request, the source address of the authentication device request is the distribution network platform gateway, the authentication device request carries a device address identifier and a device-side authentication key, and the device-side authentication key is the device to be authenticated The key generated based on the second random number, the second random number is generated by the device platform cloud, and the device address identifier is used to identify the MAC address of the device to be authenticated;

Perform second access authentication on the device-side authentication key according to the second random number.
The method according to claim 37, wherein the performing second access authentication on the device-side authentication key according to the second random number comprises:

Determine the license key corresponding to the device to be authenticated according to the device address identifier;

Using a third key generation algorithm to process the second random number and the license key to generate a cloud authentication key;

Verifying the cloud authentication key and the device-side authentication key to determine an authentication result.
The method of claim 38, wherein:

The third key generation algorithm includes: AES-MMO hash algorithm.
The method of claim 38, wherein the method further comprises:

Send the authentication result, where the destination address of the authentication result is the distribution network platform gateway.
An access authentication apparatus, characterized in that, applied to a device to be authenticated, the apparatus comprising: a beacon frame broadcasting module, a key generation module and a first authentication module;

the beacon frame broadcasting module, configured to broadcast a beacon frame, the beacon frame carrying the first random number generated by the device to be authenticated;

The key generation module is used to generate a device-side trust center link key based on the first random number and a license key, where the license key is a secret key stored in the device to be authenticated and the device platform cloud. key;

The first authentication module is configured to use the device-side trust center link key to perform first access authentication with the distribution network platform gateway.
The apparatus of claim 41, wherein

The first authentication module is configured to obtain a network key based on the device-side trust center link key, where the network key is used to encrypt data at the network layer after the first access authentication.
The apparatus according to claim 42, wherein the first authentication module is configured to:

Receive the encryption key information sent by the distribution network platform gateway, the encryption key information is encrypted by the distribution network platform gateway according to the authentication end trust center link key, and the authentication end trust center link key is obtained by the The distribution network platform gateway or the device platform cloud generation;

The encryption key information is processed by using the device-side trust center link key to obtain the network key.
The apparatus according to claim 42, wherein the apparatus further comprises: a device declaration broadcasting module;

The device declaration broadcasting module is configured to broadcast a device declaration message, where the device declaration message is used to indicate that the device to be authenticated has accessed the network constructed by the distribution network platform gateway.
The device according to any one of claims 41 to 44, characterized in that:

The key generation module is configured to use a first key generation algorithm to process the first random number and the license key, generate a device-side installation code, and use the device-side installation code as the device end trust center link key;

or,

The key generation module is configured to use a first key generation algorithm to process the first random number and the license key to generate a device-side installation code; The device-side installation code is processed to generate the device-side trust center link key.
The apparatus of claim 45, wherein:

The first key generation algorithm includes: Advanced Encryption Standard AES-MMO hash algorithm;

The second key generation algorithm includes: the AES-MMO hash algorithm.
The device according to any one of claims 41 to 44, characterized in that:

The beacon frame is an enhanced beacon frame, and the first random number is filled in a header information element field of the enhanced beacon frame.
The apparatus of claim 47, wherein:

the beacon frame broadcasting module, configured to broadcast the enhanced beacon frame;

or,

The beacon frame broadcasting module is configured to alternately broadcast the enhanced beacon frame and the regular beacon frame.
The device according to any one of claims 41 to 44, characterized in that:

The beacon frame also carries a device identifier, where the device identifier is used to identify the type of the device to be authenticated.
The device according to any one of claims 41 to 44, characterized in that:

The beacon frame also carries a manufacturer identifier, where the manufacturer identifier is used to identify the manufacturer to which the device to be authenticated belongs.
The device according to any one of claims 41 to 44, characterized in that:

The beacon frame also carries a device address identifier, where the device address identifier is used to identify the media access control MAC address of the device to be authenticated.
The device according to any one of claims 41 to 44, wherein the device further comprises: a beacon response receiving module and an association module;

The beacon response receiving module is configured to receive a beacon response sent by the distribution network platform gateway, where the beacon response is used to respond to the beacon frame;

The association module is configured to send an association request to the distribution network platform gateway, where the association request is used to request access to the network constructed by the distribution network platform gateway; receive an association response sent by the distribution network platform gateway, and The association response is used to respond to the association request.
The device according to any one of claims 41 to 44, wherein the device further comprises: a second authentication module; the second authentication module is configured to:

Generate a device-side authentication key based on the second random number generated by the device platform cloud, where the device-side authentication key is used to perform second access authentication of the device to be authenticated;

Send the device-side authentication key to the distribution network platform gateway.
The apparatus of claim 53, wherein

The second authentication module is configured to use a third key generation algorithm to process the second random number and the license key to generate the device-side authentication key.
The apparatus of claim 54, wherein:

The third key generation algorithm includes: AES-MMO hash algorithm.
The apparatus according to claim 53, wherein the apparatus further comprises: a request receiving module;

The request receiving module is configured to receive a random number writing request sent by the distribution network platform gateway to the custom cluster of the device to be authenticated, where the random number writing request carries the second random number.
The apparatus according to claim 56, wherein the apparatus further comprises: a key storage module;

The key storage module is configured to store the device-side authentication key in the attribute of the custom cluster.
The apparatus of claim 56, wherein:

The access type of the custom cluster is return after write.
An access authentication device, characterized in that it is applied to a distribution network platform gateway, the distribution network platform gateway supports building a network, the cloud server corresponding to the distribution network platform gateway is a distribution network platform cloud, and the device includes: a beacon frame receiving module, a key determining module and a first authentication module;

The beacon frame receiving module is configured to receive a beacon frame broadcast by the device to be authenticated, where the beacon frame carries the first random number generated by the device to be authenticated;

The key determination module is configured to interact with the device platform cloud through the distribution network platform cloud to obtain the authentication end trust center link key, and the authentication end trust center link key is based on the first random number and a key generated by a license key, where the license key is a key stored in the device to be authenticated and the device platform cloud;

The first authentication module is configured to use the authentication terminal trust center link key to perform first access authentication with the device to be authenticated.
The apparatus of claim 59, wherein

The first authentication module is configured to send encryption key information to the device to be authenticated, where the encryption key information is information obtained by encrypting a network key according to the authentication end trust center link key, the The network key is used to encrypt data at the network layer after the first access authentication.
The apparatus according to claim 60, wherein the apparatus further comprises: a device declaration receiving module;

The device declaration receiving module is configured to receive a device declaration message sent by the device to be authenticated, where the device declaration message is used to indicate that the device to be authenticated has accessed the network constructed by the distribution network platform gateway.
The apparatus according to any one of claims 59 to 61, wherein the beacon frame further carries a device address identifier of the device to be authenticated, and the device address identifier is used to identify media access of the device to be authenticated Control MAC address; the key determination module is used for,

Send an installation code request to the device platform cloud through the distribution network platform cloud, where the installation code request carries the device address identifier and the first random number, and the first random number is used for the device The platform cloud generates the installation code of the authentication terminal;

Through the distribution network platform cloud, receiving an installation code response whose source address is the device platform cloud;

Based on the installation code response, the authenticator trust center link key is determined.
The device according to claim 62, wherein the installation code response carries the authentication terminal installation code;

The key determination module is configured to use the authentication terminal installation code as the authentication terminal trust center link key;

or,

The key determination module is configured to use the second key generation algorithm to process the authentication end installation code to generate the authentication end trust center link key.
The apparatus of claim 63, wherein:

The second key generation algorithm includes: Advanced Encryption Standard AES-MMO hash algorithm.
The apparatus of claim 62, wherein

The installation code response also carries a second random number generated by the device platform cloud.
The device according to any one of claims 59 to 61, wherein the device further comprises: an authentication request module; the authentication request module is configured to:

Send a random number write request to the custom cluster of the device to be authenticated, the random number write request carries a second random number, and the second random number is sent by the distribution platform gateway from the source address to the device Obtained from the installation code response of the platform cloud;

receiving a device-side authentication key sent by the to-be-authenticated device, where the device-side authentication key is used to perform second access authentication of the to-be-authenticated device;

Through the distribution network platform cloud, an authentication device request is sent to the device platform cloud, and the authentication device request carries a device address identifier and the device-side authentication key, where the device address identifier is used to identify the device to be authenticated the MAC address.
The apparatus of claim 66, wherein:

The authentication request module is configured to obtain the access type of the custom cluster; in response to the access type of the custom cluster being return after write, send the random number write request to the custom cluster.
The device according to claim 66, wherein the device further comprises: an authentication result processing module; the authentication result processing module is used for,

receiving, through the distribution network platform cloud, the authentication result that the source address is the device platform cloud;

In response to the authentication result being that the authentication is successful, update the authentication terminal trust center link key;

In response to the authentication result being an authentication failure, the device to be authenticated is added to a device blacklist, where the device blacklist is used to record devices that fail to configure the network.
The device according to any one of claims 59 to 61, wherein the device further comprises: a beacon response sending module and an association module;

the beacon response sending module, configured to send a beacon response to the device to be authenticated, where the beacon response is used to respond to the beacon frame;

The association module is configured to receive an association request sent by the device to be authenticated, where the association request is used to request access to the network constructed by the distribution network platform gateway; send an association response to the device to be authenticated, and the association A response is used to respond to the association request.
The apparatus according to any one of claims 59 to 61, wherein the beacon frame further carries a device identifier, and the device identifier is used to identify the type of the device to be authenticated, and the apparatus further comprises: accessing a request receiving module; the access request receiving module is used for,

sending the device identification to a control device, where the control device is used to control the distribution network platform gateway;

Receive an access request sent by the control device, where the access request is used to trigger the distribution network platform gateway to feed back a beacon response, where the beacon response is used to respond to the beacon frame.
The device according to any one of claims 59 to 61, characterized in that:

The beacon frame is an enhanced beacon frame, and the first random number is filled in a header information element field of the enhanced beacon frame.
An access authentication device, characterized in that it is applied in a device platform cloud, the device platform cloud is a cloud server of a manufacturer to which the device to be authenticated belongs, and the device comprises: a key determination module;

The key determination module is used to interact with the distribution network platform gateway, so that the distribution network platform gateway obtains the authentication end trust center link key, and the authentication end trust center link key is generated according to the device to be authenticated The key generated by the first random number, the authentication end trust center link key is used to perform the first access authentication of the device to be authenticated.
The apparatus of claim 72, wherein the key determination module is configured to:

Receive an installation code request, the source address of the installation code request is the distribution network platform gateway, the installation code request carries the device address identifier corresponding to the device to be authenticated and the first random number, the device address identifier a media access control MAC address used to identify the device to be authenticated;

based on the first random number, generating an authentication terminal installation code;

Send an installation code response, the destination address of the installation code response is the distribution network platform gateway, the installation code response carries the authentication terminal installation code, and the authentication terminal installation code is used for the distribution network platform gateway to determine The authenticator trusts the center link key.
The apparatus of claim 73, wherein the key determination module is configured to:

Determine the license key corresponding to the device to be authenticated according to the device address identifier;

Using a first key generation algorithm, the first random number and the license key are processed to generate the authentication terminal installation code.
The apparatus of claim 74, wherein:

The first key generation algorithm includes: Advanced Encryption Standard AES-MMO hash algorithm.
The apparatus of claim 73, wherein

The installation code response also carries a second random number generated by the device platform cloud.
The device according to any one of claims 72 to 76, wherein the device further comprises: a second authentication module; the second authentication module is configured to:

Receive an authentication device request, the source address of the authentication device request is the distribution network platform gateway, the authentication device request carries a device address identifier and a device-side authentication key, and the device-side authentication key is the device to be authenticated The key generated based on the second random number, the second random number is generated by the device platform cloud, and the device address identifier is used to identify the MAC address of the device to be authenticated;

Perform second access authentication on the device-side authentication key according to the second random number.
The apparatus of claim 77, wherein the second authentication module is configured to:

Determine the license key corresponding to the device to be authenticated according to the device address identifier;

Using a third key generation algorithm, the second random number and the license key are processed to generate a cloud authentication key;

Verifying the cloud authentication key and the device-side authentication key to determine an authentication result.
The apparatus of claim 78, wherein:

The third key generation algorithm includes: AES-MMO hash algorithm.
The apparatus according to claim 78, wherein the apparatus further comprises: an authentication result sending module;

The authentication result sending module is configured to send the authentication result, and the destination address of the authentication result is the distribution network platform gateway.
A device to be authenticated, characterized in that the device to be authenticated comprises: a processor and a transceiver connected to the processor; wherein,

the transceiver, configured to broadcast a beacon frame, where the beacon frame carries the first random number generated by the device to be authenticated;

The processor is configured to generate a device-side trust center link key based on the first random number and a license key, where the license key is a key stored in the device to be authenticated and the device platform cloud;

The processor is configured to use the device-side trust center link key to perform first access authentication with the distribution network platform gateway.
A distribution network platform gateway, characterized in that the distribution network platform gateway supports network construction, the cloud server corresponding to the distribution network platform gateway is a distribution network platform cloud, and the distribution network platform gateway includes: a processor and a a transceiver connected to the processor; wherein,

the transceiver, configured to receive a beacon frame broadcast by the device to be authenticated, where the beacon frame carries the first random number generated by the device to be authenticated;

The processor is configured to interact with the device platform cloud through the distribution network platform cloud to obtain the authentication end trust center link key, where the authentication end trust center link key is based on the first random number and the license key. The key generated by the key, the license key is the key stored in the device to be authenticated and the device platform cloud;

The processor is configured to perform first access authentication with the device to be authenticated by using the authenticator trust center link key.
A device platform cloud, characterized in that the device platform cloud is a cloud server of a manufacturer to which the device to be authenticated belongs, and the device platform cloud includes: a processor and a transceiver connected to the processor; wherein,

The processor is configured to interact with the distribution network platform gateway, so that the distribution network platform gateway obtains the authentication end trust center link key, and the authentication end trust center link key is the first generated according to the device to be authenticated. The key generated by the random number, the authentication end trust center link key is used to perform the first access authentication of the device to be authenticated.
A computer-readable storage medium, wherein a computer program is stored in the readable storage medium, and the computer program is loaded and executed by a processor to implement the access authentication according to any one of claims 1 to 40 method.