WO2022116209A1

WO2022116209A1 - Internet of things device access authentication method and apparatus, device, and storage medium

Info

Publication number: WO2022116209A1
Application number: PCT/CN2020/134087
Authority: WO
Inventors: 罗朝明; 茹昭
Original assignee: Oppo广东移动通信有限公司
Priority date: 2020-12-04
Filing date: 2020-12-04
Publication date: 2022-06-09
Also published as: CN116420338A

Abstract

The present application relates to the field of wireless communications. Disclosed are an Internet of Things device access authentication method and apparatus, a device, and a storage medium. The method comprises: obtaining device information of an Internet of Things device; generating a first random number; sending the first random number to a device cloud platform according to the device information; receiving a first access key generated by the device cloud platform by means of a device key and the first random number; supplying the first random number to the Internet of Things device; and receiving an access authentication request sent by the Internet of Things device, the access authentication request comprising a second access key generated by the Internet of Things device according to the device key and the first random number, and performing access authentication on the Internet of Things according to the first access key and the second access key. In the process, it is not necessary to perform identity authentication on the Internet of Things device, so that an access authentication process can be simplified, thereby improving the efficiency of the access authentication of Internet of Things devices while ensuring the security of the access authentication.

Description

IoT device access authentication method, device, device and storage medium

technical field

The present application relates to the field of wireless communications, and in particular, to a method, apparatus, device, and storage medium for access authentication of IoT devices.

Background technique

In the Internet of Things (IoT) technology, IoT devices usually involve cross-platform access scenarios, and need to access the cloud platform to issue access keys for IoT devices.

In order to ensure the security of access, in the process of each result of the IoT device, before the access cloud platform issues the access key for the IoT device, the IoT device needs to be authenticated at least once. , to issue access keys for IoT devices.

However, the process of accessing the cloud platform to authenticate the IoT device will lead to a complicated access authentication process for the IoT device, which affects the efficiency of the IoT device's access authentication.

SUMMARY OF THE INVENTION

The embodiments of the present application provide an access authentication method, apparatus, device, and storage medium for an Internet of Things device.

In one aspect, a method for authentication of IoT device access is provided, the method is performed by an access cloud platform, and the method includes:

Obtain device information of IoT devices;

generate a first random number;

sending the first random number to the device cloud platform according to the device information of the IoT device;

receiving a first access key generated by the device cloud platform through a device key and the first random number; the device key is set in the IoT device and the device cloud platform;

providing the first random number to the IoT device;

Receive an access authentication request sent by the Internet of Things device, where the access authentication request includes a second access key, and the second access key is obtained by the Internet of Things device according to the device key and the generated by the first random number;

Perform access authentication on the IoT device according to the first access key and the second access key.

In one aspect, a method for authentication of IoT device access is provided, the method is performed by the IoT device, and the method includes:

Provide the device information of the IoT device to the access cloud platform;

Obtain the first random number provided by the access cloud platform, the first random number is generated by the access cloud platform, and the device cloud platform that obtains the IoT device passes the device key and the first random number. provided after the first access key generated by a random number; the device key is set in the IoT device and the device cloud platform;

generating a second access key according to the device key and the first random number;

Send an access authentication request including the second access key to the access cloud platform, where the access authentication request is used to request the access cloud platform to match the first access key with the The second access key is used to perform access authentication on the IoT device.

Obtain device information of IoT devices;

generating a first random number and a first access key;

According to the device information of the IoT device, send the first random number to the device cloud platform corresponding to the IoT device;

receiving a first encryption key generated by the device cloud platform by encrypting the first random number with the device key;

Encrypting the first access key by using the first encryption key to obtain encrypted ciphertext;

providing the encrypted ciphertext and the first random number to the IoT device;

Receive an access authentication request sent by the IoT device, where the access authentication request includes a second access key, where the second access key is obtained by the IoT device according to the device key, the generated by the encrypted ciphertext and the first random number;

Provide the device information of the IoT device to the access cloud platform;

Obtain the encrypted ciphertext provided by the access cloud platform and the first random number generated by the access cloud platform; the encrypted ciphertext is the encrypted ciphertext obtained by the access cloud platform through the first encryption key for the first access password. The encrypted ciphertext obtained by encrypting the key; the first encryption key is the key generated by the device cloud platform of the Internet of Things device encrypting the first random number with the device key; the device key is set in the IoT device and the device cloud platform;

The first random number is encrypted by the device key to generate the second encryption key;

Decrypt the encrypted ciphertext by using the second encryption key to obtain a second access key;

In one aspect, there is provided an IoT device access authentication apparatus, the apparatus is used for accessing a cloud platform, and the apparatus includes:

The device information acquisition module is used to acquire the device information of the IoT device;

a first random number generating module for generating a first random number;

a first random number sending module, configured to send the first random number to the device cloud platform according to the device information of the IoT device;

a first access key receiving module, configured to receive the first access key generated by the device cloud platform through the device key and the first random number; the device key is set in the IoT device and in the device cloud platform;

a first random number providing module, configured to provide the first random number to the Internet of Things device;

The authentication request receiving module is configured to receive an access authentication request sent by the Internet of Things device, the access authentication request includes a second access key, and the second access key is the Internet of Things device according to generated by the device key and the first random number;

An access authentication module, configured to perform access authentication on the IoT device according to the first access key and the second access key.

In one aspect, an apparatus for authentication of IoT device access is provided, the apparatus is used in an IoT device, and the apparatus includes:

a device information providing module, configured to provide the device information of the IoT device to the access cloud platform;

A first random number acquisition module, configured to acquire a first random number provided by the access cloud platform, where the first random number is generated by the access cloud platform and obtained from the device cloud of the IoT device The platform is provided after the first access key generated by the device key and the first random number; the device key is set in the IoT device and the device cloud platform;

a second access key generation module, configured to generate a second access key according to the device key and the first random number;

an authentication request sending module, configured to send an access authentication request including the second access key to the access cloud platform, where the access authentication request is used to request the access cloud platform according to the first The access key and the second access key are used to perform access authentication on the IoT device.

a random number and key generation module for generating a first random number and a first access key;

a first random number sending module, configured to send the first random number to a device cloud platform corresponding to the IoT device according to the device information of the IoT device;

a first encryption key receiving module, configured to receive a first encryption key generated by the device cloud platform by encrypting the first random number with the device key;

an encrypted ciphertext obtaining module, configured to encrypt the first access key by using the first encryption key to obtain an encrypted ciphertext;

a ciphertext and random number providing module, configured to provide the encrypted ciphertext and the first random number to the IoT device;

The authentication request receiving module is configured to receive an access authentication request sent by the Internet of Things device, the access authentication request includes a second access key, and the second access key is the Internet of Things device according to generated by the device key, the encrypted ciphertext and the first random number;

The ciphertext and random number acquisition module is used to acquire the encrypted ciphertext provided by the access cloud platform and the first random number generated by the access cloud platform; the encrypted ciphertext is obtained by the access cloud platform through the first random number. An encrypted ciphertext obtained by encrypting the first access key with an encryption key; the first encryption key is generated by the device cloud platform of the IoT device encrypting the first random number with the device key The key of the device; the device key is set in the IoT device and the device cloud platform;

The second encryption key generation module is used for encrypting the first random number by the device key to generate the second encryption key;

A second access key obtaining module, configured to decrypt the encrypted ciphertext by using the second encryption key to obtain a second access key;

In one aspect, a device for accessing a cloud platform is provided, and the device for accessing a cloud platform includes: a processor and a transceiver connected to the processor; wherein,

The processor is used for acquiring device information of the IoT device; generating a first random number;

The transceiver is configured to send the first random number to the device cloud platform according to the device information of the Internet of Things device; receive the first random number generated by the device cloud platform through the device key and the first random number; a first access key; the device key is set in the IoT device and the device cloud platform;

the processor, configured to provide the first random number to the Internet of Things device;

The transceiver is configured to receive an access authentication request sent by the Internet of Things device, where the access authentication request includes a second access key, and the second access key is based on the Internet of Things device. generated by the device key and the first random number;

The processor is configured to perform access authentication on the Internet of Things device according to the first access key and the second access key.

In one aspect, an IoT device is provided, the IoT device comprising: a processor and a transceiver connected to the processor; wherein,

The processor is configured to provide device information of the Internet of Things device to the access cloud platform; obtain a first random number provided by the access cloud platform, where the first random number is generated by the access cloud platform generated and provided after obtaining the first access key generated by the device cloud platform of the IoT device through the device key and the first random number; the device key is set on the IoT device and in the device cloud platform;

the processor, configured to generate a second access key according to the device key and the first random number;

The transceiver is configured to send an access authentication request including the second access key to the access cloud platform, where the access authentication request is used to request the access cloud platform according to the first The access key and the second access key are used to perform access authentication on the IoT device.

the processor, for acquiring device information of the IoT device; generating a first random number and a first access key;

The transceiver is configured to send the first random number to the device cloud platform corresponding to the Internet of Things device according to the device information of the Internet of Things device; the first encryption key generated by encrypting the first random number;

The processor is configured to encrypt the first access key by using the first encryption key to obtain encrypted ciphertext; provide the encrypted ciphertext and the first random number to the IoT devices;

The transceiver is configured to receive an access authentication request sent by the Internet of Things device, where the access authentication request includes a second access key, and the second access key is based on the Internet of Things device. generated by the device key, the encrypted ciphertext and the first random number;

the processor is configured to provide the device information of the Internet of Things device to the access cloud platform; obtain the encrypted ciphertext provided by the access cloud platform and the first random number generated by the access cloud platform; the The encrypted ciphertext is the encrypted ciphertext obtained by the access cloud platform using the first encryption key to encrypt the first access key; the first encryption key is the device cloud platform of the IoT device through the device A key generated by encrypting the first random number with a key; the device key is set in the IoT device and the device cloud platform;

The processor is configured to encrypt the first random number with a device key to generate a second encryption key; decrypt the encrypted ciphertext with the second encryption key to obtain a second access key ;

In one aspect, a computer-readable storage medium is provided, and a computer program is stored in the readable storage medium, and the computer program is loaded and executed by a processor to implement the method for authentication of access to an Internet of Things device as described in the above aspects .

According to an aspect of the embodiments of the present application, a chip is provided, the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a network device, it is used to implement the Internet of Things described in the above aspect Device access authentication method.

According to an aspect of the present application, there is provided a computer program product, which when running on a processor of a network device, enables the network device to execute the method for authentication of IoT device access described in the above aspect.

The technical solutions provided by the embodiments of the present application include at least the following beneficial effects:

The device key is preset in the IoT device and the device cloud platform. During the process that the IoT device initiates access to the access cloud platform, the access cloud platform can obtain the first access key by interacting with the device cloud platform. and the first random number generated by itself, where the first access key is generated by the device key and the first random number, that is, after the access cloud platform provides the first random number to the IoT device , the IoT device can obtain the second access key for access through the locally stored device key, combined with the first random number, and use the second access key to request access to the cloud platform for access authentication. In this process, the access cloud platform does not directly provide the access key to the IoT device, but also enables the IoT device to obtain the access key correctly, which can ensure security. Device identity authentication can simplify the access authentication process, thereby improving the efficiency of IoT device access authentication while ensuring the security of access authentication.

Description of drawings

In order to illustrate the technical solutions in the embodiments of the present application more clearly, the following briefly introduces the drawings that are used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative effort.

1 is a block diagram of an access authentication system provided by an exemplary embodiment of the present application;

FIG. 2 is a flowchart of a method for authentication of IoT device access provided by an exemplary embodiment of the present application;

3 is a flowchart of a method for authentication of IoT device access provided by an exemplary embodiment of the present application;

FIG. 4 is a flowchart of access authentication in the network distribution process involved in the embodiment shown in FIG. 3;

FIG. 5 is a flowchart of a method for authentication of IoT device access provided by an exemplary embodiment of the present application;

FIG. 6 is a flow chart of access authentication after completion of the distribution network involved in the embodiment shown in FIG. 5;

FIG. 7 is a flowchart of a method for authentication of IoT device access provided by an exemplary embodiment of the present application;

FIG. 8 is a flowchart of access authentication in the network distribution process involved in the embodiment shown in FIG. 7;

FIG. 9 is a structural block diagram of an access authentication method and apparatus provided by an exemplary embodiment of the present application;

10 is a structural block diagram of an access authentication method and apparatus provided by an exemplary embodiment of the present application;

FIG. 11 is a structural block diagram of an access authentication method and apparatus provided by an exemplary embodiment of the present application;

FIG. 12 is a structural block diagram of an access authentication method and apparatus provided by an exemplary embodiment of the present application;

FIG. 13 is a schematic structural diagram of a computer device provided by an exemplary embodiment of the present application.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.

First, briefly introduce the terms involved in the embodiments of the present application:

1) Soft Wireless Access Point (Soft Access Point, Soft AP).

Soft AP is a technology that uses special software to realize AP function on non-AP devices through wireless network card. It can replace AP (Access Point, wireless access point) in wireless network, thereby reducing the cost of wireless networking.

The hardware part of Soft AP is a standard wireless network card, which provides the same signal transfer, routing and other functions as AP through drivers. Compared with traditional AP, the cost of Soft AP is very low. Compared with ordinary wireless network cards, the integrated driver/software of Soft AP can provide great convenience for users who are new to the network.

2) Distribution network based on Soft AP.

Network distribution refers to a process in which a device to be connected to the network obtains network access information (such as a network identifier and an access key), and accesses the network based on the network access information.

The distribution network based on Soft AP refers to the process that the device to be connected to the network requests network access information and accesses the network with the help of the distribution network device (such as a mobile phone) through the Soft AP function.

3) Scan the code to configure the network.

Scanning the code to configure the network means that the device to be connected to the Internet scans the graphic code (such as a two-dimensional code) through an image acquisition component (such as a camera) and decodes it, obtains the network access information carried in the graphic code, and connects based on the network access information. the process of entering the network.

In IoT technology, because IoT devices usually lack direct and effective means of information input, Soft AP network distribution and scanning code distribution are important means for IoT devices to access the network.

FIG. 1 shows a block diagram of an access authentication system provided by an exemplary embodiment of the present application. The system may include: an Internet of Things device 12 , an access cloud platform 14 , and a device cloud platform 16 .

The IoT device 12 may be a smart device (such as VR (Virtual Reality, virtual reality) glasses, a smart wearable device, etc.), a terminal device, a sensor device, or other device with network access capability, which is not made in this embodiment of the present application. limited.

In one example, in the case of smart home life, the IoT devices 12 may be smart home devices such as smart TVs, smart speakers, smart air conditioners, smart lights, smart doors and windows, smart curtains, and smart sockets. Optionally, there is one IoT device 12, or there are multiple IoT devices 12, which is not limited in this embodiment of the present application. In practical applications, the number of IoT devices 12 may be combined with application requirements or access the cloud platform 14. The maximum number of devices that can be managed is determined.

The access cloud platform 14 includes an access point device 141 and an access cloud 142 .

The access point device 141 is used to provide network access services to the IoT device 12 , for example, the access point device 141 may be a wireless router, a wireless gateway device, and the like. In some scenarios, the access point device 141 may also be implemented as a terminal device, such as a mobile phone, a tablet computer, a wearable device, and the like. Optionally, the number of access point devices 141 may be one or multiple, which is not limited in this embodiment of the present application. Generally, for the consideration of resource saving and other aspects, the number of access point devices 141 is one .

The access cloud 142 may be a cloud server of the access point device 141 . The access point device 141 and the access cloud 142 are connected through a wired or wireless network.

The IoT device 12 is developed based on the device cloud platform cloud 16 .

A communication link exists between the access cloud 142 and the device cloud platform 16 . Optionally, the access cloud 142 interacts with the device cloud platform 16 during the access process of the IoT device 12 .

The above-mentioned access cloud 142 and device cloud platform 16 may be implemented as a cloud computing resource pool in the field of cloud technology, and multiple types of virtual resources are deployed in the resource pool for external customers to choose and use. The cloud computing resource pool mainly includes: computing devices (which are virtualized machines, including operating systems), storage devices, and network devices. It can be an independent physical server, a server cluster or a distributed system composed of multiple physical servers, or a cloud service, cloud database, cloud computing, cloud function, cloud storage, network service, cloud communication, intermediate Cloud servers for basic cloud computing services such as software services, domain name services, security services, Content Delivery Network (CDN), and big data and artificial intelligence platforms.

In a possible implementation manner, the system may further include a network distribution device 18, and the access cloud 142 and the network distribution device 18 are connected through a wired or wireless network. The network distribution device 18 is a device for the user to operate to control the network distribution process of the IoT device 12 . The distribution network device 18 may be implemented as a terminal device, such as a mobile phone, a tablet computer, a wearable device, and the like.

FIG. 2 shows a flowchart of a method for authentication of IoT device access provided by an exemplary embodiment of the present application. The method can be applied to the access authentication system shown in FIG. 1, and is performed interactively by the Internet of Things device 12, the access cloud platform 14 and the device cloud platform 16, and the method can include the following steps:

Step 201, the IoT device provides the device information of the IoT device to the access cloud platform; correspondingly, the access cloud platform obtains the device information of the IoT device.

The above-mentioned device information includes a device identification (Identity, ID) of the Internet of Things device, for example, a Media Access Control (Media Access Control, MAC) address of the Internet of Things device.

The above-mentioned device information may also include indication information of the device cloud platform corresponding to the IoT device, for example, the device information also includes the manufacturer information of the IoT device, or the address of the device cloud platform, and so on.

In a possible implementation manner of the embodiment of the present application, the IoT device may provide the device information of the IoT device to the access cloud platform through the network configuration terminal during the network distribution process. For example, the IoT device provides the device information of the IoT device to the access cloud platform through the network distribution terminal in the Soft AP distribution method or the scanning code distribution method.

In a possible implementation manner of the embodiment of the present application, the IoT device may directly send the device information of the IoT device to the access cloud platform after completing the network configuration.

Step 202, the access cloud platform performs key generation interaction with the device cloud platform corresponding to the IoT device according to the device information of the IoT device, and obtains a first access key and key indication information; wherein the first access key and key indication information are obtained; The access key and the key indication information are information associated with a device key; the device key is set in the IoT device and the device cloud platform.

In this embodiment of the present application, the same device key is stored in the device cloud platform and the IoT device, respectively.

When the access cloud platform assigns the access key to the IoT device, it interacts with the device cloud. In this process, in addition to generating the first access key, it also obtains key indication information, and the first access key is The key and the key indication information are associated by the device key, that is, the first access key can be obtained by encrypting or decrypting the key indication information by using the device key.

Step 203, the access cloud platform provides the key indication information to the IoT device; correspondingly, the IoT device obtains the key indication information provided by the access cloud platform.

In the embodiment of the present application, the device cloud platform provides key indication information to the IoT device, but does not directly provide the access key.

For example, in a possible implementation manner of the embodiment of the present application, during the network configuration process of the IoT device, the access cloud platform provides key indication information to the IoT device through the network configuration terminal. For example, the access cloud platform provides key indication information to the IoT device through the network distribution terminal in the Soft AP distribution method or the scanning code distribution method.

In a possible implementation manner of the embodiment of the present application, after the IoT device completes network configuration, the access cloud platform may directly send key indication information to the IoT device.

Step 204, the IoT device generates a second access key according to the device key and the key indication information.

Since the key indication information and the first access key are associated with the device key, after the IoT device obtains the key indication information, it can encrypt/decrypt the key indication information with the device key to obtain the encrypted key indication information. /Decryption is the above-mentioned second access key.

Step 205, the IoT device sends an access authentication request including the second access key to the access cloud platform; correspondingly, the access cloud platform receives the access authentication request sent by the IoT device.

Step 206, the access cloud platform performs access authentication on the Internet of Things device according to the first access key and the second access key.

To sum up, in the solution shown in the embodiment of this application, the device key is preset in the IoT device and the device cloud platform, and the IoT device initiates access to the access cloud platform, and the access cloud platform passes The device cloud platform interacts to obtain the first access key and the key indication information, wherein the first access key and the key indication information are associated with the device key, that is, the access cloud platform will After the key indication information is provided to the IoT device, the IoT device can obtain the second access key for access through the locally stored device key, combined with the key indication information, and request the access key through the second access key. Access to the cloud platform for access authentication. In this process, the access cloud platform does not directly provide the access key to the IoT device, but also enables the IoT device to obtain the access key correctly, which can ensure security and at the same time , because the identity authentication of the IoT device is not required in this process, the access authentication process can be simplified, thereby improving the efficiency of the access authentication of the IoT device while ensuring the security of the access authentication.

In a possible implementation manner, when the solution in the above-mentioned embodiment shown in FIG. 2 is applied in the process of network distribution to the IoT device or after the network distribution is completed, the above-mentioned first access key may be generated by the device cloud platform , and the above key indication information includes the first random number generated by the access cloud platform.

In this case, access the cloud platform to obtain device information of the IoT device; generate a first random number; send the first random number to the device cloud platform according to the device information of the IoT device; receive the device cloud platform A first access key generated by the device key and the first random number; the device key is set in the IoT device and the device cloud platform; the first random number is provided to the IoT device; receiving An access authentication request sent by the IoT device, where the access authentication request includes a second access key, and the second access key is generated by the IoT device according to the device key and the first random number ; According to the first access key and the second access key, perform access authentication on the Internet of Things device.

Correspondingly, the IoT device provides the device information of the IoT device to the access cloud platform; obtains the first random number provided by the access cloud platform, the first random number is generated by the access cloud platform, and obtained The device cloud platform of the IoT device is provided after the device key and the first access key generated by the first random number; the device key is set in the IoT device and the device cloud platform; according to the device key and the first random number to generate a second access key; send an access authentication request including the second access key to the access cloud platform, where the access authentication request is used to request the access cloud platform According to the first access key and the second access key, access authentication is performed on the Internet of Things device.

Below, the process of access authentication in this case is exemplarily described.

FIG. 3 shows a flowchart of a method for authentication of IoT device access provided by an exemplary embodiment of the present application. The method can be applied to the access authentication system as shown in FIG. 1, and is executed interactively by the Internet of Things device 12, the access cloud platform 14 and the device cloud platform 16, and the method can include the following steps:

Step 301, the IoT device provides the device information of the IoT device to the access cloud platform; correspondingly, the access cloud platform obtains the device information of the IoT device.

In the embodiment of the present application, when the Internet of Things device needs to perform network distribution, the device information can be provided to the access cloud platform.

Step 302, accessing the cloud platform to generate a first random number.

Wherein, the first random number is used as key indication information.

In the embodiment of the present application, the access cloud platform generates the first random number corresponding to the IoT device through a preset random number generation algorithm.

In a possible implementation manner, the access cloud platform also generates an access authentication identifier of the IoT device.

In the embodiment of the present application, after the access cloud platform obtains the device information of the IoT device, it can generate an access authentication identifier for the IoT device, and the access authentication identifier is used to identify when the IoT device initiates access the IoT device.

In a possible implementation manner, the access cloud platform also generates a device registration code of the IoT device.

In the embodiment of the present application, the access cloud platform may also generate a corresponding device registration code for the IoT device, and the device registration code is used as an additional or auxiliary access authentication information when the IoT device initiates access .

Step 303, the access cloud platform sends the first random number to the device cloud platform according to the device information of the IoT device; correspondingly, the device cloud platform receives the first random number.

The access cloud platform may determine the device cloud platform corresponding to the IoT device according to the device information of the IoT device, and send the first random number to the determined device cloud platform.

For example, when the device information of the IoT device includes the device manufacturer information of the IoT device, the access cloud platform can use the device manufacturer information to determine the address/interface of the device cloud platform corresponding to the IoT device (for example, through the device The vendor information looks up the table to obtain the address/interface of the device cloud platform), and sends the above-mentioned first random number to the device cloud platform through the determined address/interface.

Step 304, the device cloud platform generates a first access key by using the device key of the IoT device and the first random number.

In a possible implementation manner, the above-mentioned device cloud platform encrypts the first random number through the device key corresponding to the IoT device to generate the first access key.

In the embodiment of the present application, the device manufacturer may preset a device key for the IoT device, and the device key is set in the IoT device before the IoT device leaves the factory. At the same time, the device manufacturer also sets the device corresponding to the IoT device The device key of the IoT device is stored in the cloud platform, for example, the corresponding relationship between the device identifier (eg, MAC address) of the IoT device and the device key is stored in the device cloud platform.

Step 305, the device cloud platform returns the first access key to the access cloud platform, and the access cloud platform receives the first access key.

That is, the access cloud platform receives the first access key generated by the device cloud platform by encrypting the first random number with the device key.

In a possible implementation manner, the access cloud platform further establishes an association relationship between the above-mentioned access authentication identifier and the first access key.

For example, the access cloud platform may pre-establish an association table between the access authentication identifier and the access key. Whenever the access cloud platform generates an access authentication identifier for an IoT device and obtains the first access key, the access authentication identifier of the IoT device and the first access key are stored in the association table correspondingly , so that it can be queried and used in the subsequent access authentication process.

Step 306, the access cloud platform provides the first random number to the IoT device, and accordingly, the IoT device obtains the first random number provided by the access cloud platform.

In this embodiment of the present application, the access cloud platform delivers key indication information to the IoT device that requires the device key processing to obtain the access key, rather than directly delivering the access key, thereby ensuring that the key is downloaded hair security.

In a possible implementation manner, the access cloud platform also provides the access authentication identifier to the IoT device; correspondingly, the IoT device obtains the access authentication identifier provided by the access cloud platform.

In a possible implementation manner, the access cloud platform also provides the device registration code to the IoT device; correspondingly, the IoT device obtains the device registration code provided by the access cloud platform.

In a possible implementation manner, the access cloud platform also provides the access authentication identifier and the device registration code to the IoT device; correspondingly, the IoT device obtains the access authentication identifier and device provided by the access cloud platform registration code.

Step 307, the IoT device generates a second access key by using the device key and the first random number.

In a possible implementation manner, the IoT device encrypts the first random number with the device key to generate the second access key.

In this embodiment of the present application, after the IoT device obtains the key indication information sent by the access cloud platform (that is, the above-mentioned first random number), it can encrypt the first random number according to the device key stored by itself. to obtain the second access key.

In a possible implementation manner, the device cloud platform encrypts the first random number to obtain the encryption algorithm used for the first access key, and the IoT device encrypts the first random number with the device key to obtain the second encryption algorithm. The encryption algorithm used for the access key is the same.

In the embodiment of the present application, because the IoT device needs the locally stored device key to process the key indication information to obtain the access key, that is, only the IoT device with a specific identity can obtain the correct access key, Therefore, the identity authentication in the access key distribution process is realized without the need for an additional authentication process, thereby ensuring the security of the key distribution and reducing the complex process of authentication.

Step 308, the IoT device sends an access authentication request including the second access key to the access cloud platform; correspondingly, the access cloud platform receives the access authentication request sent by the IoT device.

In a possible implementation manner, the access cloud platform sends an access authentication request including the second access key and the access authentication identifier to the access cloud platform.

In a possible implementation manner, the access cloud platform sends an access authentication request including the second access key and the device registration code to the access cloud platform.

In a possible implementation manner, the access cloud platform sends an access authentication request including the second access key, the access authentication identifier and the device registration code to the access cloud platform.

Step 309, the access cloud platform performs access authentication on the IoT device according to the first access key and the second access key.

In a possible implementation manner, the access cloud platform establishes a Transport Layer Security (Transport Layer Security, TLS)/Datagram Transport Layer Security (Datagram) protocol according to the first access key and the second access key. Transport Layer Security, DTLS) pre-shared key (Pre-Shared Key, PSK) method to establish and authenticate the data connection of IoT devices.

In this embodiment of the present application, after receiving the access authentication request sent by the IoT device, the access cloud platform can use the second access key in the request as the PSK to match the first access key. If they match, the access authentication is confirmed to be successful, and a TLS/DTLS connection is established.

In a possible implementation manner, the access cloud platform queries the above association relationship according to the access authentication identifier carried in the access authentication request, and obtains the first access key; and according to the queried first access key and the The second access key is used to authenticate the access of the IoT device.

In a possible implementation manner, the access cloud platform establishes a secure data connection with the IoT device through the TLS/DTLS pre-shared key PSK method according to the device registration code carried in the access authentication request; The access key and the second access key are used for one-way or two-way challenge authentication.

For example, the IoT device sends the random value S1 and the verification value X1 generated by using the second access key to the access cloud platform, and the access cloud platform uses the first access key and the random value S1 to generate the verification value X2, and the verification value X2 is generated with the first access key and the random value S1. X1 is compared; at the same time, the access cloud platform sends the random value S2 and the verification value X3 generated with the first access key to the IoT device, and the IoT device uses the second access key and the random value S2 to generate the verification value X4 Come and compare with X3.

In another possible implementation manner, the access cloud platform establishes a secure data connection with the IoT device in an anonymous way through TLS/DTLS; Challenge authentication.

Please refer to FIG. 4 , which shows a flowchart of access authentication in the network distribution process involved in the embodiment of the present application. As shown in Figure 4, the access authentication process of IoT devices is as follows:

S41, the IoT device broadcasts the beacon frame or displays the QR code; the distribution network device obtains the device information of the IoT device through the Soft AP discovery or code scanning method.

For example, the distribution network device can receive the beacon frame broadcast by the IoT device through Soft AP discovery, and parse the Service Set Identifier (SSID)/Basic Service Set Identifier (BSSID) in the beacon frame. / Manufacturer-defined information element (Information Element, IE) to obtain device information of the IoT device, for example, the MAC address of the IoT device (denoted as ID1, corresponding to the device identifier in the above embodiment), and the device manufacturer information of the IoT device .

Alternatively, the distribution network device scans the QR code on the IoT device through the camera (which can be displayed through the entity label or display screen), and decodes to obtain the above-mentioned device information of the IoT device.

S42, the network distribution device establishes a secure connection with the access cloud platform.

S43, the network distribution device sends the above-mentioned device information of the IoT device to the access cloud platform, such as ID1 and device manufacturer information.

S44, the access cloud platform determines the device cloud platform according to the device manufacturer information.

S45, the access cloud platform generates an ID2 (corresponding to the above-mentioned access authentication identifier) allocated to the IoT device according to the ID1, and a random number R1 (corresponding to the above-mentioned first random number). In a possible implementation manner, the access cloud platform also allocates a device registration code A1 to the IoT device.

S46, the access cloud platform establishes a secure connection with the device cloud platform.

S47, the access cloud platform sends ID1 and R1 to the device cloud platform.

S48, the device cloud platform obtains the key K of the IoT device (corresponding to the above-mentioned device key) according to ID1.

S49, the device cloud platform encrypts R1 through K to generate K1 (corresponding to the above-mentioned first access key).

S410, the device cloud platform returns K1 to the access cloud platform.

S411, the access cloud platform returns the ID2 and the random number R1 to the distribution network device. In a possible implementation manner, the access cloud platform also returns A1 to the distribution network device.

S412, the IoT device obtains ID2, R1, network information, and access cloud platform address through Soft AP discovery or code scanning; in a possible implementation, the IoT device also obtains A1 through Soft AP discovery or scanning code.

For example, a Soft AP-based connection is established between the distribution terminal and the IoT device, and the distribution terminal sends the above ID2, R1, network information, and access cloud platform address (optionally including A1) to the IoT device.

Alternatively, the distribution terminal generates and displays a QR code based on the above ID2, R1, network information, and access cloud platform address (optionally including A1), and the IoT device scans the QR code to obtain ID2, R1, network information, access Cloud platform address (optionally including A1) and other information.

S413, the IoT device uses the locally stored K to encrypt R1 to obtain K1' (corresponding to the above-mentioned second access key).

S414, the IoT device uses K1' as the key to establish a TLS/DTLS connection with the access cloud platform through PSK.

Optionally, when the IoT device obtains A1, the IoT device may also perform the following step S415.

S415, the IoT device uses A1 as the key to establish a TLS/DTLS connection with the access cloud platform through PSK; and uses K1' as the key to perform one-way or two-way challenge authentication with the access cloud platform.

In the solution shown in Figure 4 above, the IoT device manufacturer assigns a unique key K to each device (identified by device ID1), and presets the key K into the corresponding device. The key K and the corresponding The ID1 of the device is stored in the device cloud platform of the device manufacturer.

Access the cloud platform to obtain the device ID1 from the device. The access cloud platform generates ID2 for the device according to the device ID1, and a random value R1 (the access cloud platform needs to save the R1 and the ID2 of the corresponding device). The access cloud platform sends the aforementioned ID1 and R1 to the device cloud platform.

The device cloud platform generates a key K1, and the generation method is as follows: use a predefined key generation algorithm S1 for R1, such as Advanced Encryption Standard (AES) 256-Code-Based Message Authentication Code (Code-Based Message Authentication Code) , CMAC) algorithm, key derivative function (Key Derivation Function, KDF) based on HMAC algorithm, wherein, HMAC algorithm refers to the message authentication code (Message Authentication Code, MAC) algorithm based on hash (Hash), password-based key Derived function (Password-Based Key Derivation Function, PBKDF) algorithm, etc., use K encryption to obtain K1.

The device cloud platform returns K1 to the access cloud platform. The access cloud platform returns ID2 and R1 to the device through the distribution network terminal.

The device uses the predefined key generation algorithm S1 to encrypt R1 with K to obtain K1' (equivalent to K1). The intermediate node (such as the distribution network terminal) does not have K, so K1 cannot be obtained, which can prevent the key leakage caused by the cracking and hijacking of the distribution network terminal.

In a possible implementation, the device uses K1' as a pre-shared key to establish a TLS/DTLS connection with the mobile phone cloud platform through PSK. ID2 is used to uniquely identify the device on the access cloud platform and to index K1.

In another possible implementation, the network distribution device sends network information, ID2, R1, device registration code A1 and access cloud address to the IoT device. Every time the IoT device connects to the above-mentioned access cloud platform, it uses TLS/ The DTLS method uses the device registration code as the pre-shared key or negotiates the communication key in an anonymous way to establish a secure connection, and then uses K1 as the key to perform one-way or two-way challenge authentication with the mobile cloud platform.

To sum up, in the solution shown in the embodiment of this application, the device key is preset in the IoT device and the device cloud platform, and the IoT device initiates access to the access cloud platform, and the access cloud platform passes The device cloud platform interacts to obtain the first access key and the first random number generated by itself, wherein the first access key is generated by the device key and the first random number, that is, After accessing the cloud platform and providing the first random number to the IoT device, the IoT device can obtain the second access key for access by combining the locally stored device key and the first random number, and use the second access key for access. The access key requests access to the cloud platform for access authentication. During this process, the access cloud platform does not directly provide the access key to the IoT device, but also enables the IoT device to obtain the access key correctly. To ensure security, at the same time, since the identity authentication of IoT devices is not required in this process, the access authentication process can be simplified, thereby improving the efficiency of access authentication of IoT devices while ensuring the security of access authentication. .

Based on the solution shown in FIG. 3 above, in a possible implementation manner, after the solution shown in this application is applied to the Internet of Things device network configuration, the first access key can be generated by the device cloud platform, and The above key indication information includes the first random number generated by the access cloud platform. In order to improve security, the above-mentioned first access key may be generated based on the first random number and the second random number allocated by the IoT device itself.

FIG. 5 shows a flowchart of a method for authentication of IoT device access provided by an exemplary embodiment of the present application. The method can be applied to the access authentication system shown in FIG. 1, and is executed interactively by the Internet of Things device 12, the access cloud platform 14 and the device cloud platform 16, and the method can include the following steps:

Step 501, the IoT device generates a second random number.

In a possible implementation manner, the IoT device further encrypts the second random number by using the device key to generate the first device authentication information.

In this embodiment of the present application, in order to further improve the security of access key distribution, in addition to providing the second random number, the IoT device also encrypts the second random number with the device key to obtain the first device authentication information , which is used for subsequent device cloud platforms to authenticate IoT devices.

Step 502, the IoT device provides a second random number and device information of the IoT device to the access cloud platform; correspondingly, the access cloud platform obtains the second random number and device information of the IoT device.

In a possible implementation manner, the IoT device further acquires the first device authentication information provided by the IoT device.

Step 503, accessing the cloud platform to generate a first random number.

The first random number is used as key indication information.

Step 504, the access cloud platform sends the first random number and the second random number to the device cloud platform according to the device information of the IoT device; correspondingly, the device cloud platform receives the first random number and the second random number .

In a possible implementation manner, the access cloud platform sends the first random number, the second random number and the first device authentication information to the device cloud platform; correspondingly, the device cloud platform receives the first random number, the second random number and the first random number. number and first device authentication information.

Step 505, the device cloud platform encrypts the first random number and the second random number through the device key corresponding to the IoT device to generate a first access key.

In a possible implementation manner, the device cloud platform uses the device key to encrypt the second random number to generate the second device authentication information, and uses the second device authentication information to authenticate the first device authentication information. After the device authentication information passes the authentication of the first device authentication information, the device cloud platform generates a third random number, and encrypts the second random number and the third random number with the device key to generate the first cloud authentication information.

Step 506, the device cloud platform returns the first access key to the access cloud platform, and the access cloud platform receives the first access key.

In a possible implementation manner, the access cloud platform receives the first access key, the first cloud authentication information, and the third random sent by the device cloud platform after passing the authentication of the first device authentication information according to the second device authentication information number.

The second device authentication information is generated by the device cloud platform by encrypting the second random number through the device key; the first cloud authentication information is the device cloud platform using the device key to encrypt the second random number. generated by encrypting the third random number and the third random number; the third random number is generated by the device cloud platform.

Step 507 , the access cloud platform provides the first random number to the IoT device, and correspondingly, the IoT device obtains the first random number provided by the access cloud platform.

In a possible implementation manner, the access cloud platform further provides the first cloud authentication information and the third random number to the IoT device.

Step 508, the IoT device encrypts the first random number and the second random number with the device key to generate the second access key.

In a possible implementation manner, the IoT device encrypts the second random number and the third random number with the device key to generate the second cloud authentication information; when authenticating the first cloud authentication information according to the second cloud authentication information After passing, the second access key is generated according to the device key and the key indication information.

Among them, the algorithm used by the IoT device to encrypt the second random number and the third random number through the device key, and the algorithm used by the device cloud platform to encrypt the second random number and the third random number through the device key. The same; correspondingly, the algorithm used by the IoT device to encrypt the first random number and the second random number through the device key is the same as the algorithm used by the device cloud platform to encrypt the first random number and the second random number through the device key. The algorithm used is the same.

Step 509, the IoT device sends an access authentication request including the second access key to the access cloud platform; correspondingly, the access cloud platform receives the access authentication request sent by the IoT device.

Step 510, the access cloud platform performs access authentication on the IoT device according to the first access key and the second access key.

In a possible implementation manner, the access cloud platform authenticates the IoT device for establishing a data connection by using the TLS/DTLS pre-shared key PSK method according to the first access key and the second access key.

In another possible implementation manner, the access cloud platform receives the first access key, the third cloud authentication information, the third device authentication information, and the third random number sent by the device cloud platform; the third The cloud authentication information is generated by the device cloud platform by encrypting the second random number with the device key; the third device authentication information is generated by the device cloud platform by encrypting the third random number; the third The random number is generated by the device cloud platform;

Before receiving the access authentication request sent by the IoT device, the access cloud platform also provides the third cloud authentication information and the third random number to the IoT device;

When the access cloud platform receives the access authentication request sent by the Internet of Things device, it receives the access authentication request sent by the Internet of Things device after passing the authentication of the third cloud authentication information according to the fourth cloud authentication information; the fourth cloud The authentication information is generated by the Internet of Things device by encrypting the second random number with the device key; the access authentication request also includes fourth device authentication information, and the fourth device authentication information is the Internet of Things device through the The device key is generated by encrypting the third random number;

When the access cloud platform performs access authentication on the IoT device according to the first access key and the second access key, after passing the authentication on the fourth device authentication information according to the third device authentication information , and perform access authentication on the Internet of Things device according to the first access key and the second access key.

Correspondingly, before generating the second access key according to the device key and the first random number, the IoT device obtains the third cloud authentication information and the third random number provided by the access cloud platform; the third cloud authentication The information is generated by the device cloud platform by encrypting the second random number with the device key; the third random number is generated by the device cloud platform;

When the IoT device generates a second access key according to the device key and the first random number, the second random number is encrypted by the device key to generate fourth cloud authentication information; After the authentication information has passed the authentication of the third cloud authentication information, the second access key is generated according to the device key and the first random number;

The IoT device also encrypts the third random number through the device key to generate fourth device authentication information;

When the IoT device sends an access authentication request containing the second access key to the access cloud platform, it sends the access cloud platform the access authentication request containing the second access key and the fourth device authentication information. Access authentication request.

Please refer to FIG. 6 , which shows a flowchart of access authentication after the network distribution is completed according to the embodiment of the present application. As shown in Figure 6, the access authentication process of IoT devices is as follows:

S61, the IoT device establishes a secure connection with the access cloud platform.

S62 , the IoT device generates a random string R2 (corresponding to the above-mentioned second random number), and encrypts R2 with the device key K to generate device authentication information Hc1 (corresponding to the above-mentioned first device authentication information).

S63, the IoT device sends R2, Hc1, and device information of the IoT device (including the device identifier ID1 of the IoT device and the device manufacturer information) to the access cloud platform.

S64, the access cloud platform determines the device cloud platform according to the device manufacturer information.

S65, the access cloud platform generates an ID2 (corresponding to the above-mentioned access authentication identifier) allocated to the IoT device according to the ID1, and a random number R1 (corresponding to the above-mentioned first random number). In a possible implementation manner, the access cloud platform also allocates a device registration code A1 to the IoT device.

S66, the access cloud platform establishes a secure connection with the device cloud platform.

S67, the access cloud platform sends ID1, R1, R2 and Hc1 to the device cloud platform.

S68, the device cloud platform obtains the key K of the IoT device (corresponding to the above-mentioned device key) according to ID1.

S69, the device cloud platform encrypts R2 by K, and generates Hc1' (corresponding to the above-mentioned second device authentication information); if Hc1' is the same as Hc1, the IoT device is authenticated successfully, and the process goes to S610, otherwise the authentication fails.

S610, the device cloud platform generates a random number R3 (that is, the above-mentioned third random number).

S611 , the device cloud platform encrypts R2 and R3 by K to generate cloud authentication information Hc2 (corresponding to the above-mentioned first cloud authentication information).

S612, the device cloud platform encrypts R1 through K to generate K1 (corresponding to the above-mentioned first access key).

S613, the device cloud platform returns K1, R3 and Hc2 to the access cloud platform.

S614, the access cloud platform returns ID2, R1, R3 and Hc2 to the IoT device. In a possible implementation manner, the access cloud platform also returns A1 to the IoT device.

The IoT device obtains ID2, R1, R3, and Hc2 network information, and accesses the cloud platform address through a secure connection; in a possible implementation, the IoT device also obtains A1 through a secure connection.

S615, the IoT device encrypts R2 and R3 through K to generate Hc2' (corresponding to the above-mentioned second cloud authentication information).

S616, the IoT device compares Hc2' and Hc2, if they are the same, the authentication succeeds, and the process proceeds to S618, otherwise the authentication fails.

S617, the IoT device uses the locally stored K to encrypt R1 and R2 to obtain K1' (corresponding to the above-mentioned second access key).

S618, the IoT device uses K1' as the key to establish a TLS/DTLS connection with the access cloud platform through PSK.

S619, the IoT device uses A1 as the key to establish a TLS/DTLS connection with the access cloud platform through PSK; and uses K1' as the key to perform one-way or two-way challenge authentication with the access cloud platform.

To sum up, in the solution shown in the embodiment of this application, the device key is preset in the IoT device and the device cloud platform, and the IoT device initiates access to the access cloud platform, and the IoT device sends the access to the cloud platform. The cloud platform provides the second random number, and the access cloud platform can obtain the first access key and the first random number generated by itself by interacting with the device cloud platform, wherein the first access key is obtained by the device The key is generated from the first random number and the second random number, that is to say, after accessing the cloud platform to provide the first random number to the IoT device, the IoT device can use the locally stored device key and the second random number. The second access key for access is obtained in combination with the first random number, and the second access key is used to request access to the cloud platform for access authentication. During this process, the access cloud platform does not directly contact the cloud platform. The IoT device provides the access key, which can also enable the IoT device to obtain the access key correctly, which can ensure security. At the same time, since the IoT device does not need to be authenticated in this process, the access authentication process can be simplified. , so as to improve the efficiency of the access authentication of the IoT device under the condition of ensuring the security of the access authentication.

In a possible implementation manner, when the solution in the above-mentioned embodiment shown in FIG. 2 is applied in the process of network allocation to the Internet of Things device or after the network allocation is completed, the above-mentioned first access key can be accessed by the cloud platform. generated, and the key indication information includes the ciphertext obtained by encrypting the first access key.

In this case, access the cloud platform to obtain device information of the IoT device; generate a first random number and a first access key; Send the first random number; receive the first encryption key generated by the device cloud platform encrypting the first random number with the device key; encrypt the first access key with the first encryption key , obtain the encrypted ciphertext; provide the encrypted ciphertext and the first random number to the IoT device; receive an access authentication request sent by the IoT device, where the access authentication request includes the second access key , the second access key is generated by the IoT device according to the device key, the encrypted ciphertext and the first random number; The IoT device performs access authentication.

Correspondingly, the IoT device provides the device information of the IoT device to the access cloud platform; obtains the encrypted ciphertext provided by the access cloud platform and the first random number generated by the access cloud platform; the encrypted ciphertext is the The encrypted ciphertext obtained by the access cloud platform encrypting the first access key with the first encryption key; the first encryption key is the first random number obtained by the device cloud platform of the IoT device through the device key A key generated by encryption; the device key is set in the IoT device and the device cloud platform; the first random number is encrypted by the device key, and a second encryption key is generated; through the second encryption key Decrypt the encrypted ciphertext to obtain a second access key; send an access authentication request including the second access key to the access cloud platform, where the access authentication request is used to request the access cloud platform According to the first access key and the second access key, access authentication is performed on the Internet of Things device.

FIG. 7 shows a flowchart of a method for authentication of IoT device access provided by an exemplary embodiment of the present application. The method can be applied to the access authentication system as shown in FIG. 1, and is executed interactively by the Internet of Things device 12, the access cloud platform 14 and the device cloud platform 16, and the method can include the following steps:

Step 701, the IoT device provides the device information of the IoT device to the access cloud platform; correspondingly, the access cloud platform obtains the device information of the IoT device.

For the above step 701, reference may be made to the description under step 401 in the embodiment shown in FIG. 3 , and details are not repeated here.

Step 702, the access cloud platform generates a first random number and a first access key.

In this embodiment of the present application, in addition to generating the first random number, the access cloud platform also generates a first access key.

Step 703, the access cloud platform sends the first random number to the device cloud platform according to the device information of the IoT device; correspondingly, the device cloud platform receives the first random number.

Step 704, the device cloud platform encrypts the first random number through the device key corresponding to the IoT device to generate a first encryption key.

Step 705, the device cloud platform returns the first encryption key to the access cloud platform, and the access cloud platform receives the first encryption key.

That is, the access cloud platform receives the first encryption key generated by the IoT device by encrypting the first random number with the device key.

Step 706, the access cloud platform encrypts the first access key with the first encryption key to obtain the encrypted ciphertext.

The above encrypted ciphertext and the first random number are key indication information.

Step 707, the access cloud platform provides the encrypted ciphertext and the first random number to the IoT device, and accordingly, the IoT device obtains the encrypted ciphertext and the first random number provided by the access cloud platform.

Step 708, the IoT device encrypts the first random number with the device key to generate a second encryption key; decrypts the encrypted ciphertext with the second encryption key to obtain a second access key.

In the embodiment of the present application, the encryption algorithm used by the IoT device to encrypt the first random number by using the device key is the same as the encryption algorithm used by the device cloud platform to encrypt the first random number by using the device key.

In addition, the algorithm for decrypting the encrypted ciphertext by the second encryption key of the IoT device matches the algorithm for encrypting the first access key by the access cloud platform using the first encryption key.

Step 709, the IoT device sends an access authentication request including the second access key to the access cloud platform; correspondingly, the access cloud platform receives the access authentication request sent by the IoT device.

Step 710, the access cloud platform performs access authentication on the IoT device according to the first access key and the second access key.

In a possible implementation manner, the access cloud platform performs data connection establishment authentication on the IoT device through the pre-shared key TLS/DTLSPSK method according to the first access key and the second access key.

Please refer to FIG. 8 , which shows a flowchart of access authentication in the network distribution process involved in the embodiment of the present application. As shown in Figure 8, the access authentication process of IoT devices is as follows:

S81, the IoT device broadcasts the beacon frame or displays the QR code; the distribution network device obtains the device information of the IoT device through Soft AP discovery or code scanning.

S82, the network distribution device establishes a secure connection with the access cloud platform.

S83, the network distribution device sends the above-mentioned device information of the IoT device to the access cloud platform, such as ID1 and device manufacturer information.

S84, the access cloud platform determines the device cloud platform according to the device manufacturer information.

S85, the access cloud platform generates an ID2 (corresponding to the above-mentioned access authentication identifier) allocated to the IoT device according to the ID1, a key K1 (corresponding to the above-mentioned first access key) and a random number R1 (corresponding to the above-mentioned first random number). In a possible implementation manner, the access cloud platform also allocates a device registration code A1 to the IoT device.

S86, the access cloud platform establishes a secure connection with the device cloud platform.

S87, the access cloud platform sends ID1 and R1 to the device cloud platform.

S88, the device cloud platform obtains the key K of the IoT device (corresponding to the above-mentioned device key) according to ID1.

S89, the device cloud platform encrypts R1 through K to generate K2 (corresponding to the above-mentioned first encryption key).

S810, the device cloud platform returns K2 to the access cloud platform.

S811, access the cloud platform and encrypt K1 through K2 to obtain the ciphertext C1.

S812, the access cloud platform returns the ID2, the random number R1, and the ciphertext C1 to the distribution network device. In a possible implementation manner, the access cloud platform also returns A1 to the distribution network device.

S813, the IoT device obtains ID2, R1, ciphertext C1, network information, and access cloud platform address through the Soft AP discovery or code scanning method; in a possible implementation, the IoT device also discovers or scans the code through the Soft AP way to get A1.

For example, a Soft AP-based connection is established between the distribution terminal and the IoT device, and the distribution terminal sends the above ID2, R1, C1, network information, and access cloud platform address (optionally including A1) to the IoT device.

Alternatively, the distribution network terminal generates and displays a QR code based on the above ID2, R1, C1, network information, and access cloud platform address (optionally including A1), and the IoT device scans the QR code to obtain ID2, R1, C1, network Information, access cloud platform address (optionally including A1) and other information.

S814, the IoT device uses the locally stored K to encrypt R1 to obtain K2' (corresponding to the above-mentioned second encryption key), and decrypts C1 through K2' to obtain K1' (corresponds to the above-mentioned second access key).

S815, the IoT device uses K1' as the key to establish a TLS/DTLS connection with the access cloud platform through PSK.

Optionally, when the IoT device obtains A1, the IoT device may also perform the following step S816.

S816, the IoT device uses A1 as the key to establish a TLS/DTLS connection with the access cloud platform through PSK; and uses K1' as the key to perform one-way or two-way challenge authentication with the access cloud platform.

To sum up, in the solution shown in the embodiment of this application, the device key is preset in the IoT device and the device cloud platform, and the IoT device initiates access to the access cloud platform, and the access cloud platform passes By interacting with the device cloud platform, you can obtain the first access key generated by yourself, the first random number generated by yourself, and the ciphertext obtained by encrypting the first random number with the device key. After the text and the first random number are provided to the IoT device, the IoT device can obtain the second access key for access by combining the first random number and the cipher text with the device key stored locally, and pass the second access key through the second access key. The access key requests access to the cloud platform for access authentication. During this process, the access cloud platform does not directly provide the access key to the IoT device, but also enables the IoT device to obtain the access key correctly. To ensure security, at the same time, since the identity authentication of IoT devices is not required in this process, the access authentication process can be simplified, thereby improving the efficiency of access authentication of IoT devices while ensuring the security of access authentication. .

FIG. 9 shows a structural block diagram of an IoT device access authentication apparatus provided by an exemplary embodiment of the present application. The apparatus can be used to access a cloud platform to become an access cloud platform device, or to become an access cloud platform device. Part of the cloud platform equipment, the device includes:

A device information acquisition module 901, configured to acquire device information of an IoT device;

a first random number generation module 902, configured to generate a first random number;

a first random number sending module 903, configured to send the first random number to the device cloud platform according to the device information of the IoT device;

The first access key receiving module 904 is configured to receive the first access key generated by the device cloud platform through the device key and the first random number; the device key is set in the IoT device and in the device cloud platform;

a first random number providing module 905, configured to provide the first random number to the IoT device;

An authentication request receiving module 906, configured to receive an access authentication request sent by the IoT device, where the access authentication request includes a second access key, and the second access key is the IoT device generated according to the device key and the first random number;

An access authentication module 907, configured to perform access authentication on the IoT device according to the first access key and the second access key.

In a possible implementation, the apparatus further includes:

The second random number obtaining module is configured to obtain the first random number generated by the IoT device before the first random number sending module sends the first random number to the device cloud platform according to the device information of the IoT device. two random numbers;

the first random number sending module, configured to send the first random number and the second random number to the device cloud platform according to the device information of the IoT device;

The first access key receiving module is configured to receive the first access key generated by the device cloud platform by encrypting the first random number and the second random number with the device key; key.

In a possible implementation, the apparatus further includes:

A first device authentication information acquisition module, configured to acquire the first random number and the second random number before the first random number sending module sends the first random number and the second random number to the device cloud platform according to the device information of the Internet of Things device first device authentication information, where the first device authentication information is generated by the Internet of Things device encrypting the second random number by using the device key;

The first random number sending module is configured to send the first random number, the second random number and the first device authentication information to the device cloud platform according to the device information of the IoT device;

The first access key receiving module is configured to receive the first access key, the first access key and the first access key sent by the device cloud platform after passing the authentication of the first device authentication information according to the second device authentication information. Cloud authentication information and a third random number; the second device authentication information is generated by the device cloud platform encrypting the second random number with the device key; the first cloud authentication information is the The device cloud platform encrypts and generates the second random number and the third random number by using the device key; the third random number is generated by the device cloud platform;

The device also includes:

a first cloud authentication information providing module, configured to provide the first cloud authentication information and the third random number to the Internet of Things before the authentication request receiving module receives the access authentication request sent by the Internet of Things device equipment;

The authentication request receiving module is configured to receive the access authentication request sent by the IoT device after passing the authentication of the first cloud authentication information according to the second cloud authentication information; the second cloud authentication information is the The IoT device encrypts the second random number and the third random number with the device key and generates it.

In a possible implementation manner, the first access key receiving module is configured to receive the first access key, third cloud authentication information, and third device authentication information sent by the device cloud platform , and a third random number; the third cloud authentication information is generated by the device cloud platform encrypting the second random number with the device key; the third device authentication information is the device The cloud platform is encrypted and generated by the third random number; the third random number is generated by the device cloud platform;

The device also includes:

An authentication information and random number providing module, configured to provide the third cloud authentication information and the third random number to the Internet of Things before the authentication request receiving module receives the access authentication request sent by the Internet of Things device equipment;

The authentication request receiving module is configured to receive the access authentication request sent by the IoT device after passing the authentication of the third cloud authentication information according to the fourth cloud authentication information; the fourth cloud authentication information is the The Internet of Things device encrypts the second random number with the device key; the access authentication request also includes fourth device authentication information, and the fourth device authentication information is the Internet of Things device Generated by encrypting the third random number with the device key;

The access authentication module is configured to, according to the first access key and the second access key, authenticate the fourth device authentication information according to the third device authentication information and pass the authentication. The Internet of Things device performs access authentication.

In a possible implementation manner, the access authentication module is configured to, according to the first access key and the second access key, authenticate the IoT devices perform data connection establishment authentication.

In a possible implementation, the apparatus further includes:

a device registration code generating module, configured to generate a device registration code before the authentication request receiving module receives the access authentication request sent by the IoT device;

a device registration code providing module, configured to provide the device registration code to the IoT device;

the authentication request receiving module, configured to receive the access authentication request carrying the device registration code;

The access authentication module is used for,

According to the device registration code carried in the access authentication request, through the TLS/DTLS pre-shared key PSK method, establish a secure data connection with the IoT device;

One-way or two-way challenge authentication is performed according to the first access key and the second access key.

In a possible implementation manner, the access authentication module is configured to:

Establish a secure data connection with the IoT device anonymously through TLS/DTLS;

In a possible implementation, the apparatus further includes:

an access authentication identifier generating module, configured to generate an access authentication identifier of the IoT device before the authentication request receiving module receives the access authentication request sent by the IoT device;

an association relationship establishing module, configured to establish an association relationship between the access authentication identifier and the first access key;

an access authentication identifier providing module, configured to provide the access authentication identifier to the Internet of Things device;

the authentication request receiving module, configured to receive the access authentication request carrying the access authentication identifier;

The access authentication module is used for,

Query the association relationship according to the access authentication identifier carried in the access authentication request to obtain the first access key;

Perform access authentication on the Internet of Things device according to the first access key and the second access key obtained through the query.

FIG. 10 shows a structural block diagram of an IoT device access authentication apparatus provided by an exemplary embodiment of the present application. The apparatus can be used in an IoT device to be implemented as an IoT device, or be implemented as an IoT device in the IoT device. In part, the device includes:

A device information providing module 1001, configured to provide device information of the IoT device to the access cloud platform;

A first random number obtaining module 1002, configured to obtain a first random number provided by the access cloud platform, where the first random number is generated by the access cloud platform and obtained from the device of the Internet of Things device The cloud platform is provided after the device key and the first access key generated by the first random number; the device key is set in the IoT device and the device cloud platform;

A second access key generation module 1003, configured to generate a second access key according to the device key and the first random number;

An authentication request sending module 1004, configured to send an access authentication request including the second access key to the access cloud platform, where the access authentication request is used to request the access cloud platform according to the first access key. An access key and the second access key are used to perform access authentication on the IoT device.

In a possible implementation, the apparatus further includes:

a second random number generating module, configured to generate a second random number before the first random number obtaining module obtains the first random number provided by the access cloud platform;

A second random number providing module, configured to provide the second random number to the access cloud platform;

The second access key generation module is configured to encrypt the first random number and the second random number by using the device key to generate the second access key.

In a possible implementation, the apparatus further includes:

a first device authentication information generation module, configured to obtain the first random number provided by the access cloud platform and encrypt the second random number with the device key to generate first device authentication information;

a first device authentication information providing module, configured to provide the first device authentication information to the access cloud platform;

The first cloud authentication information and the third random number acquisition module are configured to acquire the access key before the second access key generation module generates the second access key according to the device key and the first random number. The first cloud authentication information and the third random number provided by the cloud access platform; the third random number is generated by the device cloud platform; the first cloud authentication information is generated by the device cloud platform according to the second device The authentication information is generated by encrypting the second random number and the third random number with the device key after passing the authentication of the first device authentication information; the second device authentication information is the device Generated by the cloud platform encrypting the second random number by using the device key;

The second access key generation module is used for,

Encrypting the second random number and the third random number with the device key to generate second cloud authentication information;

After passing the authentication on the first cloud authentication information according to the second cloud authentication information, the second access key is generated according to the device key and the first random number.

In a possible implementation, the apparatus further includes:

The authentication information and random number acquisition module is configured to acquire the access key provided by the access cloud platform before the second access key generation module generates the second access key according to the device key and the first random number. third cloud authentication information and a third random number; the third cloud authentication information is generated by the device cloud platform encrypting the second random number with the device key; the third random number is the generated by the device cloud platform;

The second access key generation module is used for,

Encrypting the second random number with the device key to generate fourth cloud authentication information;

After passing the authentication on the third cloud authentication information according to the fourth cloud authentication information, generating the second access key according to the device key and the first random number;

The device also includes:

a fourth device authentication information generating module, configured to encrypt the third random number by using the device key to generate fourth device authentication information;

The authentication request sending module is configured to send the access authentication request including the second access key and the fourth device authentication information to the access cloud platform.

In a possible implementation, the apparatus further includes:

a device registration code obtaining module, configured to obtain the device registration code provided by the access cloud platform before the authentication request sending module sends the access authentication request including the second access key to the access cloud platform;

The authentication request sending module is configured to send the access authentication request including the second access key and the device registration code to the access cloud platform.

In a possible implementation, the apparatus further includes:

an access authentication identification acquiring module, configured to acquire the access authentication provided by the access cloud platform before the authentication request sending module sends the access authentication request including the second access key to the access cloud platform, the The access authentication logo of the IoT device;

The authentication request sending module is configured to send the access authentication request including the second access key and the access authentication identifier to the access cloud platform.

FIG. 11 shows a structural block diagram of an IoT device access authentication apparatus provided by an exemplary embodiment of the present application. The apparatus can be used to access a cloud platform to become an access cloud platform device, or to become an access cloud platform device. Part of the cloud platform equipment, the device includes:

A device information acquisition module 1101, configured to acquire device information of an IoT device;

a random number and key generation module 1102, configured to generate a first random number and a first access key;

A first random number sending module 1103, configured to send the first random number to the device cloud platform corresponding to the IoT device according to the device information of the IoT device;

a first encryption key receiving module 1104, configured to receive a first encryption key generated by the device cloud platform by encrypting the first random number with the device key;

An encrypted ciphertext obtaining module 1105, configured to encrypt the first access key by using the first encryption key to obtain an encrypted ciphertext;

a ciphertext and random number providing module 1106, configured to provide the encrypted ciphertext and the first random number to the IoT device;

An authentication request receiving module 1107, configured to receive an access authentication request sent by the IoT device, where the access authentication request includes a second access key, and the second access key is the IoT device generated according to the device key, the encrypted ciphertext and the first random number;

An access authentication module 1108, configured to perform access authentication on the IoT device according to the first access key and the second access key.

In a possible implementation, the apparatus further includes:

The access authentication module is used for,

In a possible implementation, the apparatus further includes:

The access authentication module is used for,

FIG. 12 shows a block diagram of the structure of an IoT device access authentication apparatus provided by an exemplary embodiment of the present application. The apparatus can be used in an IoT device, implemented as an IoT device, or implemented as an IoT device in an IoT device. In part, the device includes:

A device information providing module 1201, configured to provide device information of the IoT device to the access cloud platform;

The ciphertext and random number acquisition module 1202 is configured to acquire the encrypted ciphertext provided by the access cloud platform and the first random number generated by the access cloud platform; the encrypted ciphertext is obtained by the access cloud platform through the The encrypted ciphertext obtained by encrypting the first access key with the first encryption key; the first encryption key is the first random number encrypted by the device cloud platform of the IoT device through the device key The generated key; the device key is set in the IoT device and the device cloud platform;

The second encryption key generation module 1203 is configured to encrypt the first random number with the device key, and generate a second encryption key;

A second access key obtaining module 1204, configured to decrypt the encrypted ciphertext by using the second encryption key to obtain a second access key;

An authentication request sending module 1205 is configured to send an access authentication request including the second access key to the access cloud platform, where the access authentication request is used to request the access cloud platform to request the access cloud platform according to the first access key. An access key and the second access key are used to perform access authentication on the IoT device.

In a possible implementation, the apparatus further includes:

It should be noted that when the device provided in the above embodiment realizes its functions, only the division of the above functional modules is used as an example for illustration. In practical applications, the above functions can be allocated to different functional modules according to actual needs. The content structure of the device is divided into different functional modules to complete all or part of the functions described above.

Regarding the apparatus in the above-mentioned embodiment, the specific manner in which each module performs operations has been described in detail in the embodiment of the method, and will not be described in detail here.

FIG. 13 shows a schematic structural diagram of a computer device (such as an Internet of Things device, an access cloud platform device, or a device platform cloud) provided by an exemplary embodiment of the present application. The computer device includes: a processor 131 , a receiver 132 , a transmitter 133, memory 134 and bus 135.

The processor 131 includes one or more processing cores, and the processor 131 executes various functional applications and information processing by running software programs and modules.

The receiver 132 and the transmitter 133 may be implemented as a communication component, which may be a communication chip.

The memory 134 is connected to the processor 131 through the bus 135 .

The memory 134 may be configured to store at least one instruction, and the processor 131 may be configured to execute the at least one instruction to implement the various steps in the above method embodiments.

Additionally, memory 134 may be implemented by any type or combination of volatile or non-volatile storage devices including, but not limited to, magnetic or optical disks, electrically erasable programmable Read Only Memory (Electrically-Erasable Programmable Read Only Memory, EEPROM), Erasable Programmable Read Only Memory (EPROM), Static Random Access Memory (SRAM), Read Only Memory (Read-Only Memory, ROM), magnetic memory, flash memory, programmable read-only memory (Programmable Read-Only Memory, PROM).

In an exemplary embodiment, the computer device includes a processor, a memory, and a transceiver (the transceiver may include a receiver for receiving information and a transmitter for transmitting information) and a transmitter.

In a possible implementation manner, when the computer device is implemented as a device that accesses the cloud platform,

In one possible implementation, when the computer device is implemented as an IoT device,

The transceiver is configured to send an access authentication request including the second access key to the access cloud platform, where the access authentication request is used to request the access cloud platform according to the first access key. The access key and the second access key are used to perform access authentication on the IoT device.

In a possible implementation manner, when the computer device is implemented as a device connected to the cloud platform,

The processor is used for acquiring device information of the IoT device; generating a first random number and a first access key;

Wherein, when the computer device is implemented as an access platform cloud or an Internet of Things device, the processor and transceiver in the computer device involved in the embodiments of the present application may perform any of the methods shown in FIG. 2 to FIG. The steps performed by accessing the platform cloud or the IoT device will not be repeated here.

In an exemplary embodiment, a computer-readable storage medium is also provided, and a computer program is stored in the computer-readable storage medium, and the computer program is loaded and executed by a processor to implement the methods provided by the foregoing method embodiments. An IoT device access authentication method performed by a computer device.

In an exemplary embodiment, a computer program product is also provided, which, when running on a processor of a computer device, enables a network device to execute the method for authentication of IoT device access described in the above aspects.

In an exemplary embodiment, a chip is also provided, the chip includes a programmable logic circuit and/or program instructions, when the chip runs on a computer device, for implementing the IoT device described in the above aspects Access authentication method.

The above descriptions are only optional embodiments of the present application, and are not intended to limit the present application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present application shall be included in the protection of the present application. within the range.

Claims

An Internet of Things device access authentication method, characterized in that the method is performed by an access cloud platform, and the method includes:

Obtain device information of IoT devices;

generate a first random number;

sending the first random number to the device cloud platform according to the device information of the IoT device;

receiving a first access key generated by the device cloud platform through a device key and the first random number; the device key is set in the IoT device and the device cloud platform;

providing the first random number to the Internet of Things device;

Receive an access authentication request sent by the Internet of Things device, where the access authentication request includes a second access key, and the second access key is obtained by the Internet of Things device according to the device key and the generated by the first random number;

Perform access authentication on the IoT device according to the first access key and the second access key.
The method according to claim 1, wherein before the sending the first random number to the device cloud platform according to the device information of the Internet of Things device, the method comprises:

obtaining a second random number generated by the IoT device;

The sending the first random number to the device cloud platform according to the device information of the IoT device includes:

sending the first random number and the second random number to the device cloud platform according to the device information of the IoT device;

The receiving the first access key generated by the IoT device through the device key and the first random number includes:

Receive the first access key generated by the device cloud platform by encrypting the first random number and the second random number with the device key.
The method according to claim 2, wherein before the sending the first random number and the second random number to the device cloud platform according to the device information of the Internet of Things device, the method further comprises:

Obtain first device authentication information, where the first device authentication information is generated by the Internet of Things device encrypting the second random number by using the device key;

The sending the first random number and the second random number to the device cloud platform according to the device information of the IoT device includes:

sending the first random number, the second random number and the first device authentication information to the device cloud platform according to the device information of the IoT device;

The receiving, by the device cloud platform, the first access key generated by encrypting the first random number and the second random number with the device key includes:

receiving the first access key, the first cloud authentication information and the third random number sent by the device cloud platform after passing the authentication on the first device authentication information according to the second device authentication information; the second The device authentication information is generated by the device cloud platform encrypting the second random number by using the device key; the first cloud authentication information is the device cloud platform encrypting the second random number by using the device key. The second random number and the third random number are encrypted and generated; the third random number is generated by the device cloud platform;

Before receiving the access authentication request sent by the IoT device, the method further includes:

providing the first cloud authentication information and the third random number to the IoT device;

The receiving an access authentication request sent by the IoT device includes:

Receive the access authentication request sent by the Internet of Things device after passing the authentication of the first cloud authentication information according to the second cloud authentication information; the second cloud authentication information is that the Internet of Things device has passed the device password. The key is generated by encrypting the second random number and the third random number.
The method according to claim 2, wherein the receiving the first connection generated by the device cloud platform encrypting the first random number and the second random number by using the device key key, including:

Receive the first access key, the third cloud authentication information, the third device authentication information, and the third random number sent by the device cloud platform; the third cloud authentication information is passed by the device cloud platform The device key is generated by encrypting the second random number; the third device authentication information is generated by the device cloud platform by encrypting the third random number; the third random number is the generated by the device cloud platform;

Before receiving the access authentication request sent by the IoT device, the method further includes:

providing the third cloud authentication information and the third random number to the IoT device;

The receiving an access authentication request sent by the IoT device includes:

Receive the access authentication request sent by the Internet of Things device after passing the authentication of the third cloud authentication information according to the fourth cloud authentication information; the fourth cloud authentication information is that the Internet of Things device has passed the device password. The second random number is generated by encrypting the second random number with the key; the access authentication request also includes fourth device authentication information, and the fourth device authentication information is that the IoT device uses the device key to encrypt the second random number. The third random number is encrypted and generated;

The performing access authentication on the IoT device according to the first access key and the second access key includes:

After passing the authentication on the fourth device authentication information according to the third device authentication information, perform access authentication on the IoT device according to the first access key and the second access key .
The method according to any one of claims 1 to 4, wherein the performing access authentication on the Internet of Things device according to the first access key and the second access key, comprising: :

According to the first access key and the second access key, the Internet of Things device is authenticated for establishing a data connection by means of a TLS/DTLS pre-shared key PSK.
The method according to any one of claims 1 to 4, wherein before the receiving an access authentication request sent by the Internet of Things device, the method further comprises:

Generate device registration code;

providing the device registration code to the IoT device;

The receiving an access authentication request sent by the IoT device includes:

receiving the access authentication request carrying the device registration code;

The performing access authentication on the IoT device according to the first access key and the second access key includes:

According to the device registration code carried in the access authentication request, through the TLS/DTLS pre-shared key PSK method, establish a secure data connection with the IoT device;

One-way or two-way challenge authentication is performed according to the first access key and the second access key.
The method according to any one of claims 1 to 4, wherein the performing access authentication on the Internet of Things device according to the first access key and the second access key, comprising: :

Establish a secure data connection with the IoT device anonymously through TLS/DTLS;

One-way or two-way challenge authentication is performed according to the first access key and the second access key.
The method according to any one of claims 1 to 4, wherein before the receiving an access authentication request sent by the Internet of Things device, the method further comprises:

generating an access authentication identifier of the IoT device;

establishing an association relationship between the access authentication identifier and the first access key;

providing the access authentication identifier to the Internet of Things device;

The receiving an access authentication request sent by the IoT device includes:

receiving the access authentication request carrying the access authentication identifier;

The performing access authentication on the IoT device according to the first access key and the second access key includes:

Query the association relationship according to the access authentication identifier carried in the access authentication request to obtain the first access key;

Perform access authentication on the Internet of Things device according to the first access key and the second access key obtained through the query.
An Internet of Things device access authentication method, characterized in that the method is performed by the Internet of Things device, and the method includes:

Provide the device information of the IoT device to the access cloud platform;

Obtain the first random number provided by the access cloud platform, the first random number is generated by the access cloud platform, and the device cloud platform that obtains the IoT device passes the device key and the first random number. provided after the first access key generated by a random number; the device key is set in the IoT device and the device cloud platform;

generating a second access key according to the device key and the first random number;

Send an access authentication request including the second access key to the access cloud platform, where the access authentication request is used to request the access cloud platform to match the first access key with the The second access key is used to perform access authentication on the IoT device.
The method according to claim 9, wherein before acquiring the first random number provided by the access cloud platform, the method further comprises:

generate a second random number;

providing the second random number to the access cloud platform;

The generating a second access key according to the device key and the first random number includes:

The second access key is generated by encrypting the first random number and the second random number with the device key.
The method according to claim 10, wherein before acquiring the first random number provided by the access cloud platform, the method further comprises:

Encrypting the second random number with the device key to generate first device authentication information;

providing the first device authentication information to the access cloud platform;

Before generating the second access key according to the device key and the first random number, the method further includes:

Obtain the first cloud authentication information and the third random number provided by the access cloud platform; the third random number is generated by the device cloud platform; the first cloud authentication information is stored by the device cloud platform in After the first device authentication information is authenticated according to the second device authentication information, the second random number and the third random number are encrypted and generated by using the device key; the second device authentication information is generated by the device cloud platform encrypting the second random number with the device key;

The generating a second access key according to the device key and the first random number includes:

Encrypting the second random number and the third random number with the device key to generate second cloud authentication information;

After passing the authentication on the first cloud authentication information according to the second cloud authentication information, the second access key is generated according to the device key and the first random number.
The method according to claim 10, wherein before generating the second access key according to the device key and the first random number, the method further comprises:

Obtain the third cloud authentication information and the third random number provided by the access cloud platform; the third cloud authentication information is generated by the device cloud platform encrypting the second random number by using the device key ; the third random number is generated by the device cloud platform;

The generating a second access key according to the device key and the first random number includes:

Encrypting the second random number with the device key to generate fourth cloud authentication information;

After passing the authentication on the third cloud authentication information according to the fourth cloud authentication information, generating the second access key according to the device key and the first random number;

The method also includes:

Encrypting the third random number with the device key to generate fourth device authentication information;

The sending an access authentication request including the second access key to the access cloud platform includes:

Send the access authentication request including the second access key and the fourth device authentication information to the access cloud platform.
The method according to any one of claims 9 to 12, wherein before the sending an access authentication request including the second access key to the access cloud platform, the method further comprises:

Obtain the device registration code provided by the access cloud platform;

The sending an access authentication request including the second access key to the access cloud platform includes:

Send the access authentication request including the second access key and the device registration code to the access cloud platform.
The method according to any one of claims 9 to 12, wherein before the sending an access authentication request including the second access key to the access cloud platform, the method further comprises:

Obtain the access authentication identifier of the IoT device provided by the access cloud platform;

The sending an access authentication request including the second access key to the access cloud platform includes:

Send the access authentication request including the second access key and the access authentication identifier to the access cloud platform.
A method for authentication of IoT device access, characterized in that the method is performed by an access cloud platform, and the method includes:

Obtain device information of IoT devices;

generating a first random number and a first access key;

According to the device information of the IoT device, send the first random number to the device cloud platform corresponding to the IoT device;

receiving a first encryption key generated by the device cloud platform by encrypting the first random number with the device key;

Encrypting the first access key by using the first encryption key to obtain encrypted ciphertext;

providing the encrypted ciphertext and the first random number to the IoT device;

Receive an access authentication request sent by the IoT device, where the access authentication request includes a second access key, where the second access key is obtained by the IoT device according to the device key, the generated by the encrypted ciphertext and the first random number;

Perform access authentication on the IoT device according to the first access key and the second access key.
The method according to claim 15, wherein the performing access authentication on the Internet of Things device according to the first access key and the second access key comprises:

According to the first access key and the second access key, the Internet of Things device is authenticated for establishing a data connection by means of a TLS/DTLS pre-shared key PSK.
The method according to claim 15, wherein before the receiving the access authentication request sent by the Internet of Things device, the method further comprises:

Generate device registration code;

providing the device registration code to the IoT device;

The receiving an access authentication request sent by the IoT device includes:

receiving the access authentication request carrying the device registration code;

The performing access authentication on the IoT device according to the first access key and the second access key includes:

According to the device registration code carried in the access authentication request, through the TLS/DTLS pre-shared key PSK method, establish a secure data connection with the IoT device;

One-way or two-way challenge authentication is performed according to the first access key and the second access key.
The method according to claim 15, wherein the performing access authentication on the Internet of Things device according to the first access key and the second access key comprises:

Establish a secure data connection with the IoT device anonymously through TLS/DTLS;

One-way or two-way challenge authentication is performed according to the first access key and the second access key.
The method according to claim 15, wherein before the receiving the access authentication request sent by the Internet of Things device, the method further comprises:

generating an access authentication identifier of the IoT device;

establishing an association relationship between the access authentication identifier and the first access key;

providing the access authentication identifier to the Internet of Things device;

The receiving an access authentication request sent by the IoT device includes:

receiving the access authentication request carrying the access authentication identifier;

The performing access authentication on the IoT device according to the first access key and the second access key includes:

Query the association relationship according to the access authentication identifier carried in the access authentication request to obtain the first access key;

Perform access authentication on the Internet of Things device according to the first access key and the second access key obtained through the query.
An Internet of Things device access authentication method, characterized in that the method is performed by the Internet of Things device, and the method includes:

Provide the device information of the IoT device to the access cloud platform;

Obtain the encrypted ciphertext provided by the access cloud platform and the first random number generated by the access cloud platform; the encrypted ciphertext is the encrypted ciphertext obtained by the access cloud platform through the first encryption key for the first access password. The encrypted ciphertext obtained by encrypting the key; the first encryption key is the key generated by the device cloud platform of the Internet of Things device encrypting the first random number with the device key; the device key is set in the IoT device and the device cloud platform;

The first random number is encrypted by the device key to generate the second encryption key;

Decrypt the encrypted ciphertext by using the second encryption key to obtain a second access key;

Send an access authentication request including the second access key to the access cloud platform, where the access authentication request is used to request the access cloud platform to match the first access key with the The second access key is used to perform access authentication on the IoT device.
The method according to claim 20, wherein before the sending an access authentication request including the second access key to the access cloud platform, the method further comprises:

Obtain the device registration code provided by the access cloud platform;

The sending an access authentication request including the second access key to the access cloud platform includes:

Send the access authentication request including the second access key and the device registration code to the access cloud platform.
The method according to claim 20, wherein before the sending an access authentication request including the second access key to the access cloud platform, the method further comprises:

Obtain the access authentication identifier of the IoT device provided by the access cloud platform;

The sending an access authentication request including the second access key to the access cloud platform includes:

Send the access authentication request including the second access key and the access authentication identifier to the access cloud platform.
An IoT device access authentication device, characterized in that the device is used for accessing a cloud platform, and the device includes:

The device information acquisition module is used to acquire the device information of the IoT device;

a first random number generating module for generating a first random number;

a first random number sending module, configured to send the first random number to the device cloud platform according to the device information of the IoT device;

a first access key receiving module, configured to receive the first access key generated by the device cloud platform through the device key and the first random number; the device key is set in the IoT device and in the device cloud platform;

a first random number providing module, configured to provide the first random number to the Internet of Things device;

The authentication request receiving module is configured to receive an access authentication request sent by the Internet of Things device, the access authentication request includes a second access key, and the second access key is the Internet of Things device according to generated by the device key and the first random number;

An access authentication module, configured to perform access authentication on the IoT device according to the first access key and the second access key.
The apparatus of claim 23, wherein the apparatus further comprises:

The second random number obtaining module is configured to obtain the first random number generated by the IoT device before the first random number sending module sends the first random number to the device cloud platform according to the device information of the IoT device. two random numbers;

the first random number sending module, configured to send the first random number and the second random number to the device cloud platform according to the device information of the IoT device;

The first access key receiving module is configured to receive the first access key generated by the device cloud platform by encrypting the first random number and the second random number with the device key. key.
The apparatus of claim 24, wherein the apparatus further comprises:

A first device authentication information acquisition module, configured to acquire the first random number and the second random number before the first random number sending module sends the first random number and the second random number to the device cloud platform according to the device information of the Internet of Things device first device authentication information, where the first device authentication information is generated by the Internet of Things device encrypting the second random number by using the device key;

The first random number sending module is configured to send the first random number, the second random number and the first device authentication information to the device cloud platform according to the device information of the IoT device;

The first access key receiving module is configured to receive the first access key, the first access key and the first access key sent by the device cloud platform after passing the authentication of the first device authentication information according to the second device authentication information. Cloud authentication information and a third random number; the second device authentication information is generated by the device cloud platform encrypting the second random number with the device key; the first cloud authentication information is the The device cloud platform encrypts and generates the second random number and the third random number by using the device key; the third random number is generated by the device cloud platform;

The device also includes:

a first cloud authentication information providing module, configured to provide the first cloud authentication information and the third random number to the Internet of Things before the authentication request receiving module receives the access authentication request sent by the Internet of Things device equipment;

The authentication request receiving module is configured to receive the access authentication request sent by the IoT device after passing the authentication of the first cloud authentication information according to the second cloud authentication information; the second cloud authentication information is the The IoT device encrypts the second random number and the third random number with the device key and generates it.
The apparatus of claim 24, wherein:

The first access key receiving module is configured to receive the first access key, the third cloud authentication information, the third device authentication information, and the third random number sent by the device cloud platform; the The third cloud authentication information is generated by the device cloud platform by encrypting the second random number with the device key; the third device authentication information is generated by the device cloud platform through the third random number Generated by encryption; the third random number is generated by the device cloud platform;

The device also includes:

An authentication information and random number providing module, configured to provide the third cloud authentication information and the third random number to the Internet of Things before the authentication request receiving module receives the access authentication request sent by the Internet of Things device equipment;

The authentication request receiving module is configured to receive the access authentication request sent by the IoT device after passing the authentication of the third cloud authentication information according to the fourth cloud authentication information; the fourth cloud authentication information is the The Internet of Things device encrypts the second random number with the device key; the access authentication request also includes fourth device authentication information, and the fourth device authentication information is the Internet of Things device Generated by encrypting the third random number with the device key;

The access authentication module is configured to, according to the first access key and the second access key, authenticate the fourth device authentication information according to the third device authentication information and pass the authentication. The Internet of Things device performs access authentication.
The apparatus according to any one of claims 23 to 26, wherein the access authentication module is configured to pre-register through TLS/DTLS according to the first access key and the second access key The data connection establishment authentication is performed on the IoT device in the shared key PSK manner.
The device according to any one of claims 23 to 26, wherein the device further comprises:

a device registration code generating module, configured to generate a device registration code before the authentication request receiving module receives the access authentication request sent by the IoT device;

a device registration code providing module, configured to provide the device registration code to the IoT device;

the authentication request receiving module, configured to receive the access authentication request carrying the device registration code;

The access authentication module is used for,

According to the device registration code carried in the access authentication request, through the TLS/DTLS pre-shared key PSK method, establish a secure data connection with the IoT device;

One-way or two-way challenge authentication is performed according to the first access key and the second access key.
The device according to any one of claims 23 to 26, wherein the access authentication module is configured to:

Establish a secure data connection with the IoT device anonymously through TLS/DTLS;

One-way or two-way challenge authentication is performed according to the first access key and the second access key.
The device according to any one of claims 23 to 26, wherein the device further comprises:

an access authentication identifier generating module, configured to generate an access authentication identifier of the IoT device before the authentication request receiving module receives the access authentication request sent by the IoT device;

an association relationship establishing module, configured to establish an association relationship between the access authentication identifier and the first access key;

an access authentication identifier providing module, configured to provide the access authentication identifier to the Internet of Things device;

the authentication request receiving module, configured to receive the access authentication request carrying the access authentication identifier;

The access authentication module is used for,

Query the association relationship according to the access authentication identifier carried in the access authentication request to obtain the first access key;

Perform access authentication on the Internet of Things device according to the first access key and the second access key obtained through the query.
An Internet of Things device access authentication device, characterized in that the device is used in Internet of Things devices, and the device includes:

a device information providing module, configured to provide the device information of the IoT device to the access cloud platform;

A first random number acquisition module, configured to acquire a first random number provided by the access cloud platform, where the first random number is generated by the access cloud platform and obtained from the device cloud of the IoT device The platform is provided after the first access key generated by the device key and the first random number; the device key is set in the IoT device and the device cloud platform;

a second access key generation module, configured to generate a second access key according to the device key and the first random number;

an authentication request sending module, configured to send an access authentication request including the second access key to the access cloud platform, where the access authentication request is used to request the access cloud platform according to the first The access key and the second access key are used to perform access authentication on the IoT device.
The apparatus of claim 31, wherein the apparatus further comprises:

a second random number generating module, configured to generate a second random number before the first random number obtaining module obtains the first random number provided by the access cloud platform;

A second random number providing module, configured to provide the second random number to the access cloud platform;

The second access key generation module is configured to encrypt the first random number and the second random number by using the device key to generate the second access key.
The apparatus of claim 32, wherein the apparatus further comprises:

a first device authentication information generation module, configured to obtain the first random number provided by the access cloud platform and encrypt the second random number with the device key to generate first device authentication information;

a first device authentication information providing module, configured to provide the first device authentication information to the access cloud platform;

The first cloud authentication information and the third random number acquisition module are configured to acquire the access key before the second access key generation module generates the second access key according to the device key and the first random number. The first cloud authentication information and the third random number provided by the cloud access platform; the third random number is generated by the device cloud platform; the first cloud authentication information is generated by the device cloud platform according to the second device The authentication information is generated by encrypting the second random number and the third random number with the device key after passing the authentication of the first device authentication information; the second device authentication information is the device Generated by the cloud platform encrypting the second random number by using the device key;

The second access key generation module is used for,

Encrypting the second random number and the third random number with the device key to generate second cloud authentication information;

After passing the authentication on the first cloud authentication information according to the second cloud authentication information, the second access key is generated according to the device key and the first random number.
The apparatus of claim 32, wherein the apparatus further comprises:

The authentication information and random number acquisition module is configured to acquire the access key provided by the access cloud platform before the second access key generation module generates the second access key according to the device key and the first random number. third cloud authentication information and a third random number; the third cloud authentication information is generated by the device cloud platform encrypting the second random number with the device key; the third random number is the generated by the device cloud platform;

The second access key generation module is used for,

Encrypting the second random number with the device key to generate fourth cloud authentication information;

After passing the authentication on the third cloud authentication information according to the fourth cloud authentication information, generating the second access key according to the device key and the first random number;

The device also includes:

a fourth device authentication information generating module, configured to encrypt the third random number by using the device key to generate fourth device authentication information;

The authentication request sending module is configured to send the access authentication request including the second access key and the fourth device authentication information to the access cloud platform.
The device according to any one of claims 31 to 34, wherein the device further comprises:

a device registration code obtaining module, configured to obtain the device registration code provided by the access cloud platform before the authentication request sending module sends the access authentication request including the second access key to the access cloud platform;

The authentication request sending module is configured to send the access authentication request including the second access key and the device registration code to the access cloud platform.
The device according to any one of claims 31 to 34, wherein the device further comprises:

an access authentication identification acquiring module, configured to acquire the access authentication provided by the access cloud platform before the authentication request sending module sends the access authentication request including the second access key to the access cloud platform, the The access authentication logo of the IoT device;

The authentication request sending module is configured to send the access authentication request including the second access key and the access authentication identifier to the access cloud platform.
An IoT device access authentication device, characterized in that the device is used for accessing a cloud platform, and the device includes:

The device information acquisition module is used to acquire the device information of the IoT device;

a random number and key generation module for generating a first random number and a first access key;

a first random number sending module, configured to send the first random number to a device cloud platform corresponding to the IoT device according to the device information of the IoT device;

a first encryption key receiving module, configured to receive a first encryption key generated by the device cloud platform by encrypting the first random number with the device key;

an encrypted ciphertext obtaining module, configured to encrypt the first access key by using the first encryption key to obtain an encrypted ciphertext;

a ciphertext and random number providing module, configured to provide the encrypted ciphertext and the first random number to the IoT device;

The authentication request receiving module is configured to receive an access authentication request sent by the Internet of Things device, the access authentication request includes a second access key, and the second access key is the Internet of Things device according to generated by the device key, the encrypted ciphertext and the first random number;

An access authentication module, configured to perform access authentication on the IoT device according to the first access key and the second access key.
The apparatus according to claim 37, wherein the access authentication module is configured to, according to the first access key and the second access key, use a TLS/DTLS pre-shared key (PSK) In this way, the data connection establishment authentication is performed on the IoT device.
The apparatus of claim 37, wherein the apparatus further comprises:

a device registration code generating module, configured to generate a device registration code before the authentication request receiving module receives the access authentication request sent by the IoT device;

a device registration code providing module, configured to provide the device registration code to the IoT device;

the authentication request receiving module, configured to receive the access authentication request carrying the device registration code;

The access authentication module is used for,

According to the device registration code carried in the access authentication request, through the TLS/DTLS pre-shared key PSK method, establish a secure data connection with the IoT device;

One-way or two-way challenge authentication is performed according to the first access key and the second access key.
The device according to claim 37, wherein the access authentication module is configured to:

Establish a secure data connection with the IoT device anonymously through TLS/DTLS;

One-way or two-way challenge authentication is performed according to the first access key and the second access key.
The apparatus of claim 37, wherein the apparatus further comprises:

an access authentication identifier generating module, configured to generate an access authentication identifier of the IoT device before the authentication request receiving module receives the access authentication request sent by the IoT device;

an association relationship establishing module, configured to establish an association relationship between the access authentication identifier and the first access key;

an access authentication identifier providing module, configured to provide the access authentication identifier to the Internet of Things device;

the authentication request receiving module, configured to receive the access authentication request carrying the access authentication identifier;

The access authentication module is used for,

Query the association relationship according to the access authentication identifier carried in the access authentication request to obtain the first access key;

Perform access authentication on the Internet of Things device according to the first access key and the second access key obtained through the query.
An Internet of Things device access authentication device, characterized in that the device is used in Internet of Things devices, and the device includes:

a device information providing module, configured to provide the device information of the IoT device to the access cloud platform;

The ciphertext and random number acquisition module is used to acquire the encrypted ciphertext provided by the access cloud platform and the first random number generated by the access cloud platform; the encrypted ciphertext is obtained by the access cloud platform through the first random number. An encrypted ciphertext obtained by encrypting the first access key with an encryption key; the first encryption key is generated by the device cloud platform of the IoT device encrypting the first random number with the device key The key of the device; the device key is set in the IoT device and the device cloud platform;

The second encryption key generation module is used for encrypting the first random number by the device key to generate the second encryption key;

A second access key obtaining module, configured to decrypt the encrypted ciphertext by using the second encryption key to obtain a second access key;

an authentication request sending module, configured to send an access authentication request including the second access key to the access cloud platform, where the access authentication request is used to request the access cloud platform according to the first The access key and the second access key are used to perform access authentication on the IoT device.
The apparatus of claim 42, wherein the apparatus further comprises:

a device registration code acquisition module, configured to acquire the device registration code provided by the access cloud platform before the authentication request sending module sends an access authentication request including the second access key to the access cloud platform;

The authentication request sending module is configured to send the access authentication request including the second access key and the device registration code to the access cloud platform.
The apparatus of claim 42, wherein the apparatus further comprises:

an access authentication identification acquiring module, configured to acquire the access authentication provided by the access cloud platform before the authentication request sending module sends the access authentication request including the second access key to the access cloud platform, the The access authentication logo of the IoT device;

The authentication request sending module is configured to send the access authentication request including the second access key and the access authentication identifier to the access cloud platform.
A device for accessing a cloud platform, characterized in that the device for accessing the cloud platform comprises: a processor and a transceiver connected to the processor; wherein,

The processor is used for acquiring device information of the IoT device; generating a first random number;

The transceiver is configured to send the first random number to the device cloud platform according to the device information of the Internet of Things device; receive the first random number generated by the device cloud platform through the device key and the first random number; a first access key; the device key is set in the IoT device and the device cloud platform;

the processor, configured to provide the first random number to the Internet of Things device;

The transceiver is configured to receive an access authentication request sent by the Internet of Things device, where the access authentication request includes a second access key, and the second access key is based on the Internet of Things device. generated by the device key and the first random number;

The processor is configured to perform access authentication on the Internet of Things device according to the first access key and the second access key.
An Internet of Things device, characterized in that the Internet of Things device comprises: a processor and a transceiver connected to the processor; wherein,

The processor is configured to provide device information of the Internet of Things device to the access cloud platform; obtain a first random number provided by the access cloud platform, where the first random number is generated by the access cloud platform generated and provided after obtaining the first access key generated by the device cloud platform of the IoT device through the device key and the first random number; the device key is set on the IoT device and in the device cloud platform;

the processor, configured to generate a second access key according to the device key and the first random number;

The transceiver is configured to send an access authentication request including the second access key to the access cloud platform, where the access authentication request is used to request the access cloud platform according to the first The access key and the second access key are used to perform access authentication on the IoT device.
A device for accessing a cloud platform, characterized in that the device for accessing the cloud platform comprises: a processor and a transceiver connected to the processor; wherein,

the processor, for acquiring device information of the IoT device; generating a first random number and a first access key;

The transceiver is configured to send the first random number to the device cloud platform corresponding to the Internet of Things device according to the device information of the Internet of Things device; the first encryption key generated by encrypting the first random number;

The processor is configured to encrypt the first access key by using the first encryption key to obtain encrypted ciphertext; provide the encrypted ciphertext and the first random number to the IoT devices;

The transceiver is configured to receive an access authentication request sent by the Internet of Things device, where the access authentication request includes a second access key, and the second access key is based on the Internet of Things device. generated by the device key, the encrypted ciphertext and the first random number;

The processor is configured to perform access authentication on the Internet of Things device according to the first access key and the second access key.
An Internet of Things device, characterized in that the Internet of Things device comprises: a processor and a transceiver connected to the processor; wherein,

the processor is configured to provide the device information of the Internet of Things device to the access cloud platform; obtain the encrypted ciphertext provided by the access cloud platform and the first random number generated by the access cloud platform; the The encrypted ciphertext is the encrypted ciphertext obtained by the access cloud platform using the first encryption key to encrypt the first access key; the first encryption key is the device cloud platform of the IoT device through the device A key generated by encrypting the first random number with a key; the device key is set in the IoT device and the device cloud platform;

The processor is configured to encrypt the first random number with a device key to generate a second encryption key; decrypt the encrypted ciphertext with the second encryption key to obtain a second access key ;

The transceiver is configured to send an access authentication request including the second access key to the access cloud platform, where the access authentication request is used to request the access cloud platform according to the first The access key and the second access key are used to perform access authentication on the IoT device.
A computer-readable storage medium, characterized in that a computer program is stored in the readable storage medium, and the computer program is loaded and executed by a processor to implement the Internet of Things device according to any one of claims 1 to 22 Access authentication method.