WO2022147843A1 - Access authentication method and apparatus - Google Patents

Access authentication method and apparatus Download PDF

Info

Publication number
WO2022147843A1
WO2022147843A1 PCT/CN2021/071140 CN2021071140W WO2022147843A1 WO 2022147843 A1 WO2022147843 A1 WO 2022147843A1 CN 2021071140 W CN2021071140 W CN 2021071140W WO 2022147843 A1 WO2022147843 A1 WO 2022147843A1
Authority
WO
WIPO (PCT)
Prior art keywords
cloud
zigbee
key
distribution network
random number
Prior art date
Application number
PCT/CN2021/071140
Other languages
French (fr)
Chinese (zh)
Inventor
包永明
罗朝明
茹昭
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to PCT/CN2021/071140 priority Critical patent/WO2022147843A1/en
Priority to CN202180080426.0A priority patent/CN116547998A/en
Publication of WO2022147843A1 publication Critical patent/WO2022147843A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/009Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication

Definitions

  • the embodiments of the present application relate to the field of communications, and in particular, to a method and an apparatus for access authentication.
  • Zigbee (Zigbee Protocol) technology is a wireless communication technology. Zigbee devices based on Zigbee technology can perform access authentication across different platforms.
  • a Zigbee network is constructed by the A platform gateway, the platform cloud corresponding to the A platform gateway is the A platform cloud, and the platform cloud corresponding to the manufacturer of the Zigbee device is the B platform cloud.
  • the present application provides an access authentication method and apparatus, which can realize cross-platform access authentication of Zigbee devices.
  • a first aspect provides an access authentication method, comprising: generating a second random number by a Zigbee device of Zifeng protocol; generating a second device-side key according to the second random number and a license key, the license key is the key stored in the Zigbee device and the device platform cloud of the Zigbee device; the second access authentication of the Zigbee device is performed according to the second device-side key.
  • an access authentication method including: a device platform cloud generating a first cloud key according to a first random number and a license key, wherein the device platform cloud belongs to the Zigbee device of the Zigbee protocol
  • the cloud server of the manufacturer, the license key is a key stored in the Zigbee device and the device platform cloud of the Zigbee device, the first random number is generated by the device platform cloud, or the first random number is A random number is obtained from the distribution network platform cloud, which is the cloud server corresponding to the distribution network platform gateway supporting the construction of Zigbee networks; the first connection of the Zigbee device is performed according to the first cloud key. Enter certification.
  • a method for access authentication including: a distribution network platform gateway receiving a second random number and a first device-side key sent by a Zigbee device of Zifeng protocol, wherein the distribution network platform gateway supports the construction of Zigbee network, the first device-side key is generated by the Zigbee device according to the first random number and the license key of the Zigbee device, and the second random number is used by the device platform cloud of the Zigbee device to determine the first Two cloud keys, the second cloud keys are used for the second access authentication of the Zigbee device;
  • the distribution network platform gateway sends a first access authentication request to the distribution network platform cloud, where the first access authentication request includes the second random number, or the first access authentication request includes the second random number number and the first device-side key, the first device-side key is used for the first access authentication of the Zigbee device by the device platform cloud, and the distribution network platform cloud is the distribution network platform The cloud server corresponding to the gateway.
  • an access authentication method including: acquiring device information of a Zigbee device with a Zigbee protocol, wherein the device information of the Zigbee device includes a device protocol type of the Zigbee device, the device of the Zigbee device The address identifier and the manufacturer identifier of the Zigbee device; the network distribution platform gateway is determined according to the device protocol type to which the Zigbee device belongs, wherein the distribution network platform gateway supports building a Zigbee network; Device information for Zigbee devices.
  • an access authentication apparatus configured to execute the method in the above-mentioned first aspect or each implementation manner thereof.
  • the apparatus includes functional modules for executing the methods in the above-mentioned first aspect or each implementation manner thereof.
  • an access authentication apparatus configured to execute the method in the second aspect or each of its implementations.
  • the apparatus includes functional modules for executing the methods in the second aspect or the respective implementation manners thereof.
  • an access authentication apparatus configured to execute the method in the third aspect or each of its implementations.
  • the apparatus includes functional modules for executing the methods in the third aspect or each of its implementations.
  • an access authentication apparatus configured to execute the method in the above-mentioned fourth aspect or each implementation manner thereof.
  • the apparatus includes functional modules for executing the methods in the fourth aspect or the respective implementation manners thereof.
  • an access authentication apparatus including a processor and a memory.
  • the memory is used for storing a computer program
  • the processor is used for calling and running the computer program stored in the memory to execute any one of the implementation manners of the first aspect to the fourth aspect or the method in each implementation manner thereof.
  • a chip for implementing any one of the above-mentioned first to fourth aspects or the method in each implementation manner thereof.
  • the chip includes: a processor for invoking and running a computer program from a memory, so that a device on which the device is installed executes any one of the above-mentioned first to fourth aspects or each of its implementations method.
  • a computer-readable storage medium for storing a computer program, the computer program causing a computer to execute the method in any one of the above-mentioned first to fourth aspects or each of its implementations.
  • a computer program product comprising computer program instructions, the computer program instructions causing a computer to perform the method in any one of the above-mentioned first to fourth aspects or the implementations thereof.
  • a thirteenth aspect provides a computer program that, when run on a computer, causes the computer to perform the method in any one of the above-mentioned first to fourth aspects or the implementations thereof.
  • the device protocol type field is defined in the OLA device format to indicate the protocol type corresponding to the OLA device.
  • the indicated protocol type is a Zigbee device
  • the network distribution platform gateway that supports the Zigbee protocol
  • the distribution network platform cloud and the device platform cloud corresponding to the Zigbee device perform access authentication for the Zigbee device, thereby enabling cross-platform access authentication.
  • FIG. 1 is a block diagram of a Zigbee device cross-platform access authentication system provided by an exemplary embodiment of the present application.
  • FIG. 2 to FIG. 10 are flowcharts of the access authentication method provided by the exemplary embodiment of the present application.
  • FIG. 11 is a schematic block diagram of an access authentication apparatus provided according to an embodiment of the present application.
  • FIG. 12 is a schematic block diagram of an access authentication apparatus provided according to an embodiment of the present application.
  • FIG. 13 is a schematic block diagram of an access authentication apparatus provided according to an embodiment of the present application.
  • FIG. 14 is a schematic block diagram of an access authentication apparatus provided according to an embodiment of the present application.
  • FIG. 15 is a schematic structural diagram of a computer device provided by an exemplary embodiment of the present application.
  • Zigbee is a low-power local area network protocol based on the Institute of Electrical and Electronics Engineers (IEEE) 802.15.4 standard. According to international standards, ZigBee technology is a short-range, low-power wireless communication technology.
  • IEEE Institute of Electrical and Electronics Engineers
  • beacon frame formats are specified, one is a conventional beacon frame, and the other is an enhanced beacon (Enhance Beacon) frame.
  • the difference between the enhanced beacon frame and the conventional beacon frame is that there are more Information Elements (Information Elements, IEs) fields in the variable (variable) data, and there are fewer Guaranteed Time Slots (GTS) fields and Pending Address field.
  • IEs Information Elements
  • GTS Guaranteed Time Slots
  • the information element field is further divided into header information elements (Header IEs) and payload information elements (Payload IEs);
  • the header information unit when the unit ID (Element ID) is 0, it means that the content is filled with the manufacturer-defined information, where the data length ranges from 0 to 127 bytes, and the first 3 bytes can be the supplier ( Vendor) Organizationally Unique Identifier (OUI), the remaining bytes can be customized according to the needs of the manufacturer.
  • the header information unit is filled with the first random number, the device identifier and the manufacturer identifier.
  • the device that supports the Zigbee protocol is a Zigbee device, and the Zigbee device corresponds to a unique installation code (Install Code).
  • the Zigbee gateway needs to obtain the installation code of the Zigbee device, so as to connect the Zigbee device to the Zigbee network created by the Zigbee gateway.
  • the installation code of the Zigbee device is obtained by scanning the QR code of the Zigbee device with the mobile phone or manually inputting the mobile phone, and then the mobile phone sends the installation code to the Zigbee gateway, which requires more human interaction.
  • the Zigbee device may be an open link association (Open link Association, OLA) device, and the information of the OLA device may be in a specific format.
  • OLA Open link Association
  • a device protocol type field may be added to the format to indicate the protocol type to which the OLA device belongs, for example, the Zigbee protocol type or other protocol types.
  • FIG. 1 shows a block diagram of a Zigbee device cross-platform access authentication system provided by an exemplary embodiment of the present application.
  • the system may include: Zigbee device 12 , distribution network platform gateway 141 , distribution network platform cloud 142 and device platform cloud 16 .
  • the Zigbee device 12 is a device that supports the Zigbee technology and can access the Zigbee network.
  • the Zigbee device 12 is a smart device (such as VR (Virtual Reality, virtual reality) glasses, a smart wearable device, etc.), a terminal device, or other device with network access capability, which is not limited in this embodiment of the present application.
  • the Zigbee device cross-platform access authentication system when the Zigbee device cross-platform access authentication system is applied to smart home life, the Zigbee device 12 can be smart TV, smart speaker, smart air conditioner, smart light, smart doors and windows, smart curtains, smart sockets, etc. home equipment.
  • Zigbee device 12 there is one Zigbee device 12, or there are multiple Zigbee devices 12, which are not limited in this embodiment of the present application.
  • the number of Zigbee devices 12 can be combined with application requirements or can be managed by the distribution network platform gateway 141. The maximum number of devices, etc. are determined.
  • the Zigbee device 12 is configured to access the network by the distribution network platform gateway 141 , and the cloud server corresponding to the distribution network platform gateway 141 is the distribution network platform cloud 142 .
  • the distribution network platform gateway 141 and the distribution network platform cloud 142 are connected through a wired or wireless network.
  • the distribution network platform gateway 141 refers to a device capable of configuring a Zigbee network.
  • the network distribution platform gateway 141 may be a server, a terminal device, a router, a terminal device, a mobile phone, a tablet computer, a wearable device, or any other device capable of configuring network access, which is not limited in this embodiment of the present application, and practical application , the implementation form of the distribution network platform gateway 141 can be determined in combination with the application scenario of the Zigbee device cross-platform access authentication system.
  • the distribution network platform gateway 141 can be implemented as a router, a terminal device, a mobile phone, a tablet computer, a wearable device, and the like.
  • the number of distribution network platform gateways 141 may be one or multiple, which is not limited in this embodiment of the present application. Generally, for the consideration of resource saving and other aspects, the number of distribution network platform gateways 141 is one. .
  • the Zigbee device 12 is developed based on the device platform cloud 16 , and the license key Kc of the Zigbee device 12 is stored in the device platform cloud 16 .
  • the distribution network platform cloud 142 sends the information required in the access authentication process of the Zigbee device 12 to the device platform cloud 16; or, forwards the information required in the access authentication process of the Zigbee device 12 to the distribution network platform gateway 141. information.
  • the above-mentioned distribution network platform cloud 142 and device platform cloud 16 are cloud computing resource pools in the field of cloud technology, and multiple types of virtual resources are deployed in the resource pools for external customers to choose and use.
  • the cloud computing resource pool mainly includes: computing devices (which are virtualized machines, including operating systems), storage devices, and network devices. It can be an independent physical server, or a server cluster or distributed system composed of multiple physical servers, or it can provide cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, intermediate Cloud servers for basic cloud computing services such as software services, domain name services, security services, Content Delivery Network (CDN), and big data and artificial intelligence platforms.
  • CDN Content Delivery Network
  • the system may further include a control device 18, and the distribution network platform gateway 141 and the control device 18 are connected through a wired or wireless network.
  • the control device 18 is a device for the user to operate to control the distribution network platform gateway 141 .
  • the user can activate the distribution network platform gateway 141 by using the application program (Application) on the control device 18 .
  • the control device 18 can be implemented as a terminal device, a mobile phone, a tablet computer, a wearable device, and the like.
  • FIG. 2 shows a flowchart of an access authentication method provided by an exemplary embodiment of the present application. The method can be applied to the Zigbee device cross-platform access authentication system as shown in FIG. 1 .
  • a Zigbee device is a device that supports the Zigbee technology and can access a Zigbee network.
  • Zigbee devices include various types of household equipment (such as electric lights), industrial assets (such as inspection equipment in hospitals), and the like.
  • the device platform cloud is the cloud server corresponding to Zigbee device development. That is, the device platform cloud is the cloud server corresponding to the manufacturer to which the Zigbee device belongs.
  • the distribution network platform gateway supports the construction of a Zigbee network.
  • the distribution network platform cloud is the cloud server corresponding to the distribution network platform gateway.
  • the access authentication process of the Zigbee device may include a first access authentication process and a second access authentication process, wherein the first access authentication process is a device platform cloud authentication process.
  • the Zigbee device is authenticated, that is, the cloud authentication device.
  • the second access authentication process is that the Zigbee device authenticates the device platform cloud, that is, the device authentication cloud.
  • the Zigbee device in the first access authentication process, can generate the first device-side key according to the first random number and the Zigbee device license key, and the device platform cloud can generate the first device-side key according to the first random number and the license key.
  • Cloud key, the first device-side key and the first cloud key can be used for the first access authentication.
  • the first random number may be generated by a device cloud platform, or may also be generated by a distribution network platform cloud, which is not limited in this application.
  • the Zigbee device can generate a second device-side key according to the second random number and the license key, and the device platform cloud can generate a second cloud key according to the second random number and the license key.
  • the second device-side key and the second cloud key can be used for the second access authentication.
  • FIG. 2 shows a schematic interaction diagram of performing the first access authentication first and then performing the second access authentication process.
  • the distribution network platform gateway and the Zigbee device have established a secure connection based on the authentication end trust center link key (Trust Center Link Key, TCLK), wherein TCLK is based on the installation code (Install Code). Code) and the key generated by the license key Kc.
  • TCLK Trust Center Link Key
  • TCLK AES-MMO (Install Code).
  • the method includes at least part of the following:
  • the Zigbee device generates a second random number R2.
  • the Zigbee device generates a first device-side key according to the first random number R1 and the license key of the Zigbee device.
  • the Zigbee device stores the first device-side key in the attribute of the custom cluster.
  • the custom cluster includes at least one attribute (Attribute), which is a data entity that reflects the state or property of the Zigbee device.
  • attribute is used to store the device-side key corresponding to the Zigbee device.
  • the access type of the custom cluster is return after write.
  • the Zigbee device uses a key generation algorithm to process the first random number R1 and the license key Kc to generate the first device-side key Auth1.
  • the key generation algorithm is a symmetric encryption algorithm, and the key generation algorithm includes: an Advanced Encryption Standard (Advanced Encryption Standard, AES)-MMO (Matyas-Meyer-Oseas) hash algorithm.
  • AES Advanced Encryption Standard
  • MMO Mobile Multimedial-MMO
  • Auth1 AES-MMO(Kc
  • the Zigbee device sends the second random number R2 and the first device-side key Auth1 to the distribution network platform gateway.
  • the distribution network platform gateway sends a first access authentication request to the distribution network platform cloud, where the first access authentication request includes the second random number R2 and the first device-side key Auth1.
  • the first access authentication request may also include a device address identifier of the Zigbee device, and the device address identifier of the Zigbee device is used to identify the medium access control (Medium Access Control, MAC) layer of the Zigbee device.
  • the device address identifier is used to uniquely identify a Zigbee device, and the device address identifier can be a 64-bit address.
  • the device address is identified as an Extended Unique Identifier (EUI).
  • EUI Extended Unique Identifier
  • the first access authentication request may further include a company identifier (Company Identifier, CID) of the Zigbee device, where the manufacturer identifier is used to identify the manufacturer to which the Zigbee device belongs, and the manufacturer identifier may be 3 bytes.
  • CID Company Identifier
  • the distribution network platform cloud determines the device platform cloud corresponding to the Zigbee device to the device platform cloud according to the manufacturer identifier in the first access authentication request, and further sends a second access authentication request to the device platform cloud, so
  • the second access authentication request includes the second random number R2 and the first device-side key.
  • the second access authentication request may further include a device address identifier of the Zigbee device, where the device address identifier of the Zigbee device is used to identify the MAC address of the Zigbee device.
  • the device address is identified as EUI.
  • the device platform cloud determines the license key Kc of the Zigbee device according to the device address identifier in the second access authentication request, and further generates a first cloud key Auth1 according to the first random number and the license key '.
  • the device platform cloud uses a key generation algorithm to process the first random number R1 and the license key Kc to generate the first cloud-end key Auth1'.
  • the key generation algorithm is a symmetric encryption algorithm, and the key generation algorithm includes: an Advanced Encryption Standard (Advanced Encryption Standard, AES)-MMO (Matyas-Meyer-Oseas) hash algorithm.
  • AES Advanced Encryption Standard
  • Auth1' AES-MMO(Kc
  • the device platform cloud performs the first access authentication according to the first cloud key Auth1' and the first device-side key Auth1 in the authentication of the second access request.
  • the authentication fails.
  • a second cloud key Auth2' is generated according to the second random number R2 and the license key.
  • the device platform cloud sends the second cloud key Auth2' and the authentication result of the second access authentication to the distribution network platform cloud.
  • the distribution network platform cloud sends the second cloud key Auth2' and the authentication result of the second access authentication to the distribution network platform gateway.
  • the distribution network platform gateway adds the Zigbee device to the device blacklist.
  • the device blacklist is used to record the devices that fail to configure the network.
  • the Zigbee devices in the device blacklist are removed from the Zigbee network constructed by the distribution network platform gateway.
  • the distribution platform gateway after the authentication fails removes the Zigbee device from the Zigbee network.
  • the distribution network platform gateway sends the second cloud key Auth2' to the Zigbee device.
  • the write request sent by the distribution network platform gateway to the custom cluster of the Zigbee device the write request carries the second cloud key Auth2'.
  • the Zigbee device has obtained the second cloud key Auth2'.
  • a second device-side key Auth2 is generated according to the second random number R2 and the license key Kc.
  • the Zigbee device stores the second device-side key in the attribute of the custom cluster.
  • the custom cluster includes at least one attribute (Attribute), and the attribute is a data entity that reflects the state or property of the Zigbee device.
  • the attribute is used to store the device-side key corresponding to the Zigbee device.
  • the access type of the custom cluster is return after write.
  • S212 Perform second access authentication according to the second device-side key Auth2 and the second cloud key Auth2'.
  • S213 Send the authentication result of the second access authentication to the network distribution platform gateway.
  • S213 is executed.
  • first indication information is sent to the distribution network platform gateway, which is used to instruct the Zigbee device to leave the Zigbee network.
  • the distribution network platform gateway adds the Zigbee device to the device blacklist in the case that the authentication fails.
  • the distribution network platform gateway and the Zigbee device establish a normal connection.
  • the updated TCLK is used to encrypt application support layer (Application Support Sublayer, APS) data transmission.
  • application support layer Application Support Sublayer, APS
  • FIG. 3 shows a schematic interaction diagram of performing the second access authentication first and then performing the first access authentication process.
  • the network distribution platform gateway and the Zigbee device have established a secure connection based on TCLK, where TCLK is a key generated based on the first random number and the license key.
  • the method includes at least part of the following:
  • the Zigbee device generates a second random number R2.
  • the Zigbee device generates a first device-side key according to the first random number R1 and the license key of the Zigbee device.
  • the Zigbee device sends the second random number R2 and the first device-side key to the distribution network platform gateway.
  • S23 may also only send the second random number R2, and when the authentication result of the second access authentication is that the authentication is successful, then send the first device-side key.
  • the distribution network platform gateway sends a first access authentication request to the distribution network platform cloud, where the first access authentication request includes the second random number R2.
  • the first access authentication request may further include a device address identifier of the Zigbee device.
  • the first access authentication request may further include the manufacturer identifier of the Zigbee device.
  • the network distribution platform cloud determines the device platform cloud corresponding to the Zigbee device to the device platform cloud according to the manufacturer identifier in the first access authentication request, and further sends a second access authentication request to the device platform cloud, where The second access authentication request includes the second random number R2.
  • the second access authentication request may further include a device address identifier of the Zigbee device.
  • the device platform cloud generates a second cloud key Auth2' according to the second random number R2 and the license key.
  • the device platform cloud sends the second cloud key Auth2' to the distribution network platform cloud.
  • the distribution network platform cloud sends the second cloud key Auth2' to the distribution network platform gateway.
  • the distribution network platform gateway sends the second cloud key Auth2' to the Zigbee device.
  • the distribution network platform gateway sends a write request to the custom cluster of the Zigbee device, and the write request carries the second cloud key Auth2'.
  • the Zigbee device has obtained the second cloud key Auth2'.
  • a second device-side key Auth2 is generated according to the second random number R2 and the license key Kc.
  • S227 Perform second access authentication according to the second device-side key Auth2 and the second cloud key Auth2'.
  • first indication information is sent to the distribution network platform gateway, which is used to instruct the Zigbee device to leave the Zigbee network.
  • S229 Send the authentication result of the second access authentication to the network distribution platform gateway.
  • the Zigbee device executes S229.
  • the distribution network platform gateway when the authentication is successful, sends a third access authentication request to the distribution network platform cloud, where the third access authentication request includes the first device-side key Auth1.
  • the third access authentication request may further include a device address identifier of the Zigbee device.
  • the third access authentication request may further include the manufacturer identifier of the Zigbee device.
  • the distribution network platform cloud sends a fourth access authentication request to the device platform cloud, where the fourth access authentication request includes the first device-side key Auth1.
  • the device platform cloud generates a first cloud key Auth1' according to the first random number R1 and the license key.
  • the device platform cloud performs first access authentication according to the first cloud key Auth1' and sending the first device-side key Auth1.
  • the device platform cloud sends the authentication result of the first access authentication to the distribution network platform cloud.
  • the distribution network platform cloud sends the authentication result of the first access authentication to the distribution network platform gateway.
  • the network distribution platform gateway adds the Zigbee device to the device blacklist.
  • the Zigbee devices in the device blacklist are removed from the Zigbee network constructed by the distribution network platform gateway.
  • the updated TCLK is used to encrypt the data transmission of the APS.
  • the distribution network platform gateway sends a first request to the distribution network platform cloud, where the first request is used to request an installation code and a first random number of the Zigbee device.
  • the first request may be referred to as an installation code request.
  • the first request may include a device address identifier of the Zigbee device.
  • the first request may include the manufacturer identifier of the Zigbee device.
  • the distribution network platform cloud determines a device platform cloud corresponding to the Zigbee device according to the manufacturer identifier in the first request, and further sends an installation code request to the device platform cloud.
  • the installation code request may include a device address identifier of the Zigbee device.
  • the installation code request may include the manufacturer identification of the Zigbee device.
  • the device platform cloud determines the installation code of the Zigbee device according to the device address identifier, and generates a first random number R1.
  • the device platform cloud sends the installation code of the Zigbee device and the first random number to the distribution network platform cloud.
  • the distribution network platform cloud sends the installation code of the Zigbee device and the first random number to the distribution network platform gateway.
  • the distribution network platform gateway sends the first random number to the Zigbee device.
  • the installation code of the Zigbee device may be obtained from the Zigbee device, for example, the terminal device may obtain the device information of the Zigbee device from the Zigbee device, for example, by scanning the code of the Zigbee device
  • the device information of the Zigbee device may include an installation code.
  • the terminal device may send the device information of the Zigbee device to the distribution network platform gateway, so that the distribution network platform gateway can learn the installation code of the Zigbee device.
  • the terminal device may correspond to the control device 18 in the foregoing.
  • the distribution network platform gateway sends a first request to the distribution network platform cloud, where the first request is used to request a first random number.
  • the first request may be referred to as a random number request.
  • the first request may include a device address identifier of the Zigbee device.
  • the first request may include the manufacturer identifier of the Zigbee device.
  • the distribution network platform cloud generates a first random number R1.
  • the distribution network platform cloud determines the device platform cloud corresponding to the Zigbee device according to the manufacturer identifier in the first request, and further sends the first random number R1 and the device address identifier of the Zigbee device to the device platform cloud.
  • the device platform cloud establishes a corresponding relationship between the first random number R1 and the Zigbee device.
  • the distribution network platform cloud sends a first random number to the distribution network platform gateway.
  • the distribution network platform gateway sends the first random number to the Zigbee device.
  • a terminal device acquires device information of the Zigbee device.
  • the device information of the Zigbee device includes a device protocol type of the Zigbee device (for example, indicating Zigbee), a device address identifier of the Zigbee device, and a manufacturer identifier of the Zigbee device.
  • the device information of the Zigbee device may include an installation code of the Zigbee device.
  • the installation code of the Zigbee device may be the PIN code of the Zigbee device.
  • the terminal device determines the corresponding network distribution platform gateway according to the protocol type corresponding to the Zigbee device, wherein the network distribution platform gateway supports the protocol type corresponding to the Zigbee device, for example, if the protocol type indicates Zigbee, the network distribution platform gateway supports Build a Zigbee network.
  • the terminal device sends the device information of the Zigbee device to the network distribution platform gateway, so that the network distribution platform gateway can learn the device information of the Zigbee device.
  • CID is used to represent the manufacturer's identity
  • R1 to represent the first random number
  • EUI to represent the device address identifier
  • R2 to represent the second random number
  • Kc to represent the license key
  • Install Code to represent the device-side installation code
  • Install Code' to represent Authenticator installation code
  • TCLK represents the device-side trust center link key
  • TCLK' represents the authenticator's trust center link key
  • Network Key represents the network key
  • Auth1 represents the first device-side key
  • Auth1' represents the first cloud key
  • Auth2 represents the second device-side key
  • Auth2' represents the second cloud key for exemplary description.
  • FIG. 6 shows a flowchart of an access authentication method provided by an exemplary embodiment of the present application.
  • the method can be applied to the Zigbee device cross-platform access authentication system as shown in FIG. 1 , and the method includes:
  • the distribution network platform gateway builds a Zigbee network
  • the control device obtains the out-of-band information of the Zigbee device, which corresponds to the preceding device information;
  • the user scans the QR code through the APP to obtain the out-of-band information of the Zigbee device.
  • the device information of the Zigbee device may include the following information:
  • Protocol field used to indicate the device protocol type
  • the MAC field can be the EUI information of the Zigbee device
  • CATID the field is used to indicate the manufacturer identification of the Zigbee device, such as CID
  • the Zigbee device generates a broadcast beacon frame (Beacon);
  • control device sends the device information to the distribution network platform gateway.
  • the user sends the CID
  • the distribution network platform gateway stores CID
  • the distribution network platform gateway performs Permit Join
  • the distribution network platform gateway starts scanning
  • the Zigbee device sends the Beacon broadcast request channel by channel;
  • the distribution network platform gateway returns a Beacon reply
  • the Zigbee device sends an association request to the distribution network platform gateway;
  • the distribution network platform gateway returns an association response to the ZIGBEE device
  • the distribution network platform gateway sends a request for obtaining the installation code to the distribution network platform cloud, carrying the data CID
  • the distribution network platform cloud obtains the equipment cloud platform of the corresponding manufacturer through the CID;
  • the device platform cloud queries the Install Code according to the EUI, and generates the first random number R1;
  • the device platform cloud returns a response to the distribution network platform cloud, carrying the data Install Code and R1;
  • the distribution network platform cloud returns a response to the distribution network platform gateway, carrying the data Install Code and R1;
  • the distribution network platform gateway gets the Install Code, it generates TCLK according to the Install Code;
  • TCLK AES-MMO(Install Code);
  • the Zigbee device generates TCLK' according to the installation code.
  • TCLK' AES-MMO(Install Code);
  • the distribution network platform gateway establishes a secure connection based on TCLK and TCLK' with the Zigbee device, and the distribution network platform gateway encrypts (Network Key) through TCLK' and sends the encrypted data to the Zigbee device;
  • the Zigbee device does not have the Install Code consistent with the device platform cloud, it cannot access the network established by the distribution network platform gateway; only the Zigbee device has the Install Code consistent with the device platform cloud, the Zigbee device can get the correct Network Key;
  • the Zigbee device sends a device announcement broadcast.
  • Device announcement (Device announce) broadcast is used to indicate that Zigbee devices are connected to the Zigbee network constructed by the distribution network platform gateway;
  • the distribution network platform gateway obtains the customized cluster information of the Zigbee device, and the access type of the cluster is write-return (W*R), and the distribution network platform gateway sends a request to write R1 to the customized cluster of the Zigbee device ;
  • the Zigbee device returns Auth1
  • the distribution network platform gateway sends an authentication request to the distribution network platform cloud, carrying the CID
  • the distribution network platform cloud obtains the equipment cloud platform of the corresponding manufacturer through the CID;
  • the distribution network platform cloud sends an authentication request to the device platform cloud, carrying the data Auth1
  • R2), if it is not equal, then the authentication fails Auth2 illegal value;
  • the device platform cloud returns the authentication result and Auth2 to the distribution network platform cloud;
  • the distribution network platform cloud returns the authentication result and Auth2 to the distribution network platform gateway;
  • the network distribution platform gateway determines that the cloud authentication device fails, adds the Zigbee device to the device blacklist, and removes the Zigbee device from the network; the cloud authentication device succeeds, write Auth2 to the manufacturer-defined Cluster2, and the type is R*W for example;
  • R2), if Auth2' Auth2 authentication succeeds, otherwise fails;
  • the Zigbee device returns the authentication result
  • the device authentication cloud fails, the network distribution platform gateway adds the Zigbee device to the device blacklist and removes the Zigbee device from the network.
  • the updated TCLK is used to encrypt the data transmission of the APS.
  • the installation code of the Zigbee device is obtained from the device cloud platform.
  • the installation code of the Zigbee device is obtained from the Zigbee device.
  • the specific acquisition method please refer to FIG. 5 Detailed description of examples.
  • FIG. 7 shows a flowchart of an access authentication method provided by an exemplary embodiment of the present application.
  • the method can be applied to the Zigbee device cross-platform access authentication system as shown in FIG. 1 .
  • the following steps of the method are adjusted:
  • the device information of the Zigbee device may include the following information:
  • Protocol field used to indicate the device protocol type
  • the MAC field can be the EUI information of the Zigbee device
  • CATID the field is used to indicate the manufacturer identification of the Zigbee device, such as CID
  • the installation code may be the PIN code of the Zigbee device.
  • control device sends the CID
  • the distribution network platform gateway sends an R1 request to the distribution network platform cloud, carrying the data CID
  • the device platform cloud establishes a corresponding relationship between the EUI and the R1.
  • the Zigbee device obtains R1 before the Zigbee device and the distribution network platform gateway establish a TCLK-based secure connection.
  • the Zigbee device obtains R1 before the Zigbee device and the distribution network platform gateway establish After TCLK based secure connection.
  • the first access authentication is before the second access authentication.
  • the first access authentication is after the second access authentication, that is, the device authenticates the cloud first. The device is authenticated by the cloud.
  • the distribution network platform gateway obtains the customized cluster (Cluster) information of the Zigbee device, the access type of the Cluster is write-return (W*R), and the distribution network platform gateway sends a request to write R1 to the customized Cluster1 of the Zigbee device;
  • the Zigbee device returns Auth1
  • the distribution network platform gateway sends an authentication request to the distribution network platform cloud, carrying the CID
  • the distribution network platform cloud obtains the equipment cloud platform of the corresponding manufacturer through the CID;
  • the distribution network platform cloud sends an authentication request to the device platform cloud, carrying the data EUI
  • the device platform cloud returns Auth2 to the distribution network platform cloud
  • the distribution network platform cloud returns Auth2 to the distribution network platform gateway;
  • the distribution network platform gateway writes Auth2 to the manufacturer-defined Cluster2, for example, the type is R*W;
  • R2), if Auth2' Auth2 authentication succeeds, otherwise fails;
  • the first indication information can also be sent to indicate leaving the Zigbee network
  • the distribution network platform gateway receives the first indication information of the Zigbee device, and adds the Zigbee device to the device blacklist.
  • the authentication is successful, and the Zigbee device determines to return the authentication result
  • the Zigbee device returns the authentication result
  • the device authentication cloud succeeds, the distribution network platform gateway sends an authentication request to the distribution network platform cloud, carrying the data CID
  • the distribution network platform cloud sends to the corresponding device platform cloud according to the CID.
  • the distribution network platform cloud sends an authentication request to the corresponding device platform cloud according to the CID, carrying the data EUI
  • the device platform cloud determines the Kc of the device according to the EUI, and generates Auth1' according to the first random number R1 and Kc.
  • the first access authentication is performed according to Auth1 and Auth1'. If the two are equal, it is determined that the authentication is successful, otherwise, it is determined that the authentication fails.
  • the distribution network platform cloud returns the authentication result of the first access authentication to the distribution network platform gateway.
  • the cloud authentication device fails, then the Zigbee device is added to the device blacklist, and the Zigbee device is removed from the network.
  • the cloud authenticates the device, updates the TCLK, and establishes a normal connection.
  • the updated TCLK is used to encrypt the data transmission of the APS.
  • FIG. 11 shows a structural block diagram of an access authentication apparatus provided by an exemplary embodiment of the present application.
  • the apparatus can be implemented as a Zigbee device, or be implemented as a part of a Zigbee device.
  • the apparatus 1000 includes:
  • a processing unit 1010 configured to generate a second random number
  • the license key being a key stored in the Zigbee device and the device platform cloud of the Zigbee device
  • the second access authentication of the Zigbee device is performed according to the second device-side key.
  • the apparatus 1000 further includes:
  • a communication unit configured to receive the first random number sent by the distribution network platform gateway, wherein the distribution network platform gateway supports the construction of a Zigbee network;
  • the processing unit 1010 is further configured to: generate a first device-side key according to the first random number and the license key, where the first device-side key is used for first access authentication of the Zigbee device .
  • the apparatus 1000 further includes:
  • a communication unit configured to receive a random number write request sent by the network distribution platform gateway to the custom cluster of the Zigbee device, where the random number write request carries the first random number.
  • processing unit 1010 is further configured to:
  • the first random number and the license key are processed to generate the first device-side key.
  • the first key generation algorithm includes: an AES-MMO hash algorithm.
  • the apparatus 1000 further includes:
  • a communication unit configured to send the second random number and the first device-side key to the device platform cloud through the distribution network platform gateway and the distribution network platform cloud, wherein the distribution network platform cloud is the The cloud server corresponding to the distribution network platform gateway, the second random number is used for the device platform cloud to generate a second cloud key, and the second cloud key is used for the second access authentication of the Zigbee device.
  • the apparatus 1000 further includes:
  • a communication unit configured to receive the authentication result of the first access authentication and the second cloud key sent by the network distribution platform gateway in the case that the authentication result of the first access authentication is authentication successful,
  • the authentication result of the first access authentication is determined by the device cloud platform according to the first device-side key and the first cloud key
  • the first cloud key is determined by the device cloud platform according to the The first random number and the license key are generated.
  • processing unit 1010 is further configured to:
  • the authentication result of the second access authentication is determined according to the second device-side key and the second cloud key.
  • the apparatus 1000 further includes:
  • a communication unit configured to send the authentication result of the second access authentication to the network distribution platform gateway.
  • the apparatus 1000 further includes:
  • a communication unit configured to send the second random number to the device platform cloud of the Zigbee device through the distribution network platform gateway and the distribution network platform cloud, wherein the distribution network platform cloud corresponds to the distribution network platform gateway the cloud server, the second random number is used for the device platform cloud to generate a second cloud key, and the second cloud key is used for the second access authentication of the Zigbee device.
  • the apparatus 1000 further includes:
  • a communication unit configured to receive the second cloud key sent by the distribution network platform gateway.
  • the apparatus 1000 further includes:
  • a communication unit configured to receive a write request sent by the distribution network platform gateway to the custom cluster of the Zigbee device, where the write request carries the second cloud key.
  • processing unit 1010 is further configured to:
  • the authentication result of the second access authentication is determined according to the second device-side key and the second cloud key.
  • the apparatus 1000 further includes:
  • a communication unit configured to send the authentication result of the second access authentication to the network distribution platform gateway.
  • the apparatus 1000 further includes:
  • a communication unit configured to send the authentication result of the second access authentication to the network distribution platform gateway when the authentication result of the second access authentication is authentication success.
  • processing unit 1010 is further configured to:
  • the apparatus 1000 further includes:
  • a communication unit configured to send first indication information to the distribution network platform gateway, where the first indication information is used to indicate
  • the first device-side key is stored in a custom cluster of the Zigbee device, and the second device-side key is stored in the custom cluster of the Zigbee device, so The access type of the described custom cluster is return after write.
  • processing unit 1010 is further configured to:
  • the second random number and the license key are processed to generate the second device-side key.
  • the second key generation algorithm includes: an AES-MMO hash algorithm.
  • the apparatus 1100 may be implemented as a device platform cloud, or may be implemented as a part of the device platform cloud.
  • the apparatus 1100 includes:
  • the processing unit 1110 is configured to generate the first cloud key according to the first random number and the license key, wherein the device platform cloud is the cloud server of the manufacturer to which the Zigbee device of the Zigbee protocol belongs, and the license key is stored in the cloud server.
  • the Zigbee device and the key in the device platform cloud of the Zigbee device, the first random number is generated by the device platform cloud, or the first random number is obtained from the distribution network platform cloud, so
  • the distribution network platform cloud is a cloud server corresponding to the distribution network platform gateway that supports the construction of Zigbee networks;
  • the first access authentication of the Zigbee device is performed according to the first cloud key.
  • the apparatus 1100 further includes:
  • a communication unit configured to receive a first access authentication request sent by the distribution network platform cloud, where the first access authentication request includes a second random number and a first device-side key, and the second random number is Generated by the Zigbee device, and the first device-side key is generated by the Zigbee device according to the first random number and the license key;
  • the processing unit 1110 is further configured to: generate a second cloud key according to the second random number and the license key, where the second cloud key is used for the second access authentication of the Zigbee device.
  • processing unit 1110 is further configured to:
  • the second cloud key is generated according to the second random number and the license key.
  • the apparatus 1100 further includes:
  • a communication unit configured to send the authentication result of the first access authentication and the second cloud key to the distribution network platform cloud.
  • the apparatus 1100 further includes:
  • a communication unit configured to receive a second random number sent by the distribution network platform cloud, where the second random number is generated by the Zigbee device;
  • the processing unit 1110 is further configured to: generate a second cloud key according to the second random number and the license key, where the second cloud key is used for the second access authentication of the Zigbee device.
  • the apparatus 1100 further includes:
  • a communication unit configured to send the second cloud key to the distribution network platform cloud.
  • the apparatus 1100 further includes:
  • a communication unit configured to receive a first access authentication request sent by the distribution network platform cloud, where the first access authentication request includes the first device-side key.
  • the apparatus 1100 further includes:
  • a communication unit configured to receive a first request sent by the distribution network platform cloud, where the first request is used to request the installation code and the first random number of the Zigbee device, or the first request is used to request all the first random number.
  • the apparatus 1100 further includes:
  • a communication unit configured to send the installation code of the Zigbee device and the first random number to the distribution network platform cloud, or send the first random number to the distribution network platform cloud.
  • the first request further includes: a device address identifier of the Zigbee device and a manufacturer identifier of the Zigbee device.
  • the apparatus 1200 may be implemented as a distribution network platform gateway, or may be implemented as a part of the distribution network platform gateway.
  • the apparatus 1200 includes:
  • the communication unit 1200 is configured to receive the second random number and the first device-side key sent by the Zigbee device of the Zifeng protocol, wherein the network distribution platform gateway supports the construction of a Zigbee network, and the first device-side key is the Zigbee network
  • the device is generated according to the first random number and the license key of the Zigbee device, the second random number is used for the device platform cloud of the Zigbee device to determine the second cloud key, and the second cloud key is used for a second access authentication for the Zigbee device; and
  • the distribution network platform cloud Send a first access authentication request to the distribution network platform cloud, where the first access authentication request includes the second random number, or the first access authentication request includes the second random number and the first A device-side key, where the first device-side key is used for the device platform cloud to perform first access authentication for the Zigbee device, and the distribution network platform cloud is a cloud server corresponding to the distribution network platform gateway.
  • the communication unit 1200 is further configured to:
  • the device cloud platform is determined according to the first device end key and the first cloud key, and the first cloud key is generated by the device cloud platform according to the first random number and the license key. of.
  • the communication unit 1200 is further configured to: send a write request to the custom cluster of the Zigbee device, where the write request carries the second cloud key.
  • the communication unit 1200 is further configured to: send the write to the custom cluster of the Zigbee device when the authentication result of the first access authentication is successful authentication ask.
  • the apparatus further includes:
  • a processing unit configured to add the Zigbee device to a device blacklist and remove the Zigbee device from the Zigbee network when the first authentication result is an authentication failure.
  • the communication unit 1200 is further configured to: in the case that the authentication result of the second access authentication is authentication failure, receive the first indication information sent by the Zigbee device, the The first indication information is used to instruct the Zigbee device to leave the Zigbee network;
  • the apparatus further includes:
  • the processing unit is configured to add the Zigbee device to the device blacklist.
  • the communication unit 1200 is further configured to: send a first request to the distribution network platform cloud, where the first request is used to request the installation code of the Zigbee device and the first request A random number, or the first request is for requesting the first random number.
  • the communication unit 1200 is further configured to: receive the installation code and the first random number of the Zigbee device sent by the distribution network platform cloud, or,
  • the first request further includes: a device address identifier of the Zigbee device and a manufacturer identifier of the Zigbee device.
  • the first access authentication request further includes a device address identifier of the Zigbee device and a manufacturer identifier of the Zigbee device.
  • FIG. 14 shows a structural block diagram of an access authentication apparatus provided by an exemplary embodiment of the present application.
  • the apparatus 1300 may be implemented as a control device, or may be implemented as a part of the control device.
  • the apparatus 1300 includes:
  • the communication unit 1310 is used to obtain the device information of the Zigbee device of the Zigbee protocol, wherein the device information of the Zigbee device includes the device protocol type of the Zigbee device, the device address identifier of the Zigbee device and the manufacturer identifier of the Zigbee device. ;
  • a processing unit 1320 configured to determine a distribution network platform gateway according to the device protocol type to which the Zigbee device belongs, wherein the distribution network platform gateway supports the construction of a Zigbee network;
  • the communication unit 1310 is further configured to: send the device information of the Zigbee device to the distribution network platform gateway.
  • the device address identifier of the Zigbee device includes a media access control MAC address of the Zigbee device.
  • the device information of the Zigbee device further includes: an installation code of the Zigbee device.
  • the installation code of the Zigbee device is the PIN code of the Zigbee device.
  • FIG. 15 shows a schematic structural diagram of a computer device (such as a Zigbee device, a distribution network platform gateway, or a device platform cloud) provided by an exemplary embodiment of the present application.
  • the computer device includes: a processor 101 , a receiver 102 , and a transmitter 103 , memory 104 and bus 105 .
  • the processor 101 includes one or more processing cores, and the processor 101 executes various functional applications and information processing by running software programs and modules.
  • the receiver 102 and the transmitter 103 may be implemented as a communication component, which may be a communication chip.
  • the memory 104 is connected to the processor 101 through the bus 105 .
  • the memory 104 may be configured to store at least one instruction, and the processor 101 may be configured to execute the at least one instruction, so as to implement various steps in the foregoing method embodiments.
  • memory 104 may be implemented by any type or combination of volatile or non-volatile storage devices including, but not limited to, magnetic or optical disks, electrically erasable programmable Read Only Memory (Electrically-Erasable Programmable Read Only Memory, EEPROM), Erasable Programmable Read Only Memory (EPROM), Static Random Access Memory (SRAM), Read Only Memory (Read-Only Memory, ROM), magnetic memory, flash memory, programmable read-only memory (Programmable Read-Only Memory, PROM).
  • volatile or non-volatile storage devices including, but not limited to, magnetic or optical disks, electrically erasable programmable Read Only Memory (Electrically-Erasable Programmable Read Only Memory, EEPROM), Erasable Programmable Read Only Memory (EPROM), Static Random Access Memory (SRAM), Read Only Memory (Read-Only Memory, ROM), magnetic memory, flash memory, programmable read-only memory (Programmable Read-Only Memory, PROM).
  • the computer device includes a processor, a memory, and a transceiver (the transceiver may include a receiver for receiving information and a transmitter for transmitting information) and a transmitter.
  • the transceiver may include a receiver for receiving information and a transmitter for transmitting information
  • the computer device when the computer device is implemented as a Zigbee device,
  • the processor is used to generate a second random number; a second device-side key is generated according to the second random number and a license key, and the license key is stored in the Zigbee device and the Zigbee device.
  • the processor and transceiver in the computer device involved in the embodiments of the present application may perform the steps performed by the Zigbee device in any of the methods shown in the above-mentioned FIG. 2 to FIG. 10 , It will not be repeated here.
  • the computer device when the computer device is implemented as a distribution network platform gateway,
  • the transceiver is configured to receive the second random number and the first device-side key sent by the Zigbee device of the Zifeng protocol; and send the first access authentication request to the distribution network platform cloud, where the first access authentication request includes all the second random number, or the first access authentication request includes the second random number and the first device-side key.
  • the processor and transceiver in the computer device involved in the embodiments of the present application may perform any of the methods shown in the above-mentioned FIG. 2 to FIG. 10 , and the distribution network platform gateway The steps to be performed are not repeated here.
  • the computer device when the computer device is implemented as a device platform cloud,
  • the processor is configured to generate a first cloud key according to the first random number and the license key; and perform first access authentication of the Zigbee device according to the first cloud key.
  • the processors and transceivers in the computer device involved in the embodiments of the present application may perform any of the methods shown in the foregoing FIG. 2 to FIG. 10 . The steps are not repeated here.
  • the transceiver is used to obtain the device information of the Zigbee device of Zigbee protocol, wherein the device information of the Zigbee device includes the device protocol type of the Zigbee device, the device address identifier of the Zigbee device and the manufacturer identifier of the Zigbee device;
  • the processor is configured to determine a distribution network platform gateway according to the device protocol type to which the Zigbee device belongs, wherein the distribution network platform gateway supports building a Zigbee network;
  • the transceiver is further configured to send the device information of the Zigbee device to the distribution network platform gateway.
  • the processor and transceiver in the computer device involved in the embodiments of the present application may execute any of the methods shown in FIG. 2 to FIG. 10 above, and be executed by the control device or the terminal device. steps, which are not repeated here.
  • a computer-readable storage medium is also provided, and a computer program is stored in the computer-readable storage medium, and the computer program is loaded and executed by a processor to implement the methods provided by the foregoing method embodiments.
  • An access authentication method performed by a computer device.
  • a computer program product which, when running on the processor of the computer device, causes the network device to execute the access authentication method described in the above aspects.
  • a chip is also provided, the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a computer device, is used to implement the access authentication described in the above aspects method.
  • the processor in this embodiment of the present application may be an integrated circuit chip, which has a signal processing capability.
  • each step of the above method embodiments may be completed by a hardware integrated logic circuit in a processor or an instruction in the form of software.
  • the above-mentioned processor can be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), an off-the-shelf programmable gate array (Field Programmable Gate Array, FPGA) or other available Programming logic devices, discrete gate or transistor logic devices, discrete hardware components.
  • DSP Digital Signal Processor
  • ASIC Application Specific Integrated Circuit
  • FPGA Field Programmable Gate Array
  • a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the steps of the methods disclosed in conjunction with the embodiments of the present application may be directly embodied as executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor.
  • the software modules can be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other storage media mature in the art.
  • the storage medium is located in the memory, and the processor reads the information in the memory, and completes the steps of the above method in combination with its hardware.
  • the memory in this embodiment of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory.
  • the non-volatile memory may be a read-only memory (Read-Only Memory, ROM), a programmable read-only memory (Programmable ROM, PROM), an erasable programmable read-only memory (Erasable PROM, EPROM), an electrically programmable read-only memory (Erasable PROM, EPROM). Erase programmable read-only memory (Electrically EPROM, EEPROM) or flash memory.
  • Volatile memory may be Random Access Memory (RAM), which acts as an external cache.
  • RAM Static RAM
  • DRAM Dynamic RAM
  • SDRAM Synchronous DRAM
  • SDRAM double data rate synchronous dynamic random access memory
  • Double Data Rate SDRAM DDR SDRAM
  • enhanced SDRAM ESDRAM
  • synchronous link dynamic random access memory Synchlink DRAM, SLDRAM
  • Direct Rambus RAM Direct Rambus RAM
  • the memory in the embodiment of the present application may also be a static random access memory (static RAM, SRAM), a dynamic random access memory (dynamic RAM, DRAM), Synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection Dynamic random access memory (synch link DRAM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DR RAM) and so on. That is, the memory in the embodiments of the present application is intended to include but not limited to these and any other suitable types of memory.
  • Embodiments of the present application further provide a computer-readable storage medium for storing a computer program.
  • the computer-readable storage medium can be applied to the network device in the embodiments of the present application, and the computer program enables the computer to execute the corresponding processes implemented by the network device in each method of the embodiments of the present application.
  • the computer program enables the computer to execute the corresponding processes implemented by the network device in each method of the embodiments of the present application.
  • the computer-readable storage medium can be applied to the mobile terminal/terminal device in the embodiments of the present application, and the computer program enables the computer to execute the corresponding processes implemented by the mobile terminal/terminal device in each method of the embodiments of the present application. , and are not repeated here for brevity.
  • Embodiments of the present application also provide a computer program product, including computer program instructions.
  • the computer program product can be applied to the network device in the embodiments of the present application, and the computer program instructions cause the computer to execute the corresponding processes implemented by the network device in each method of the embodiments of the present application. Repeat.
  • the computer program product can be applied to the mobile terminal/terminal device in the embodiments of the present application, and the computer program instructions cause the computer to execute the corresponding processes implemented by the mobile terminal/terminal device in each method of the embodiments of the present application, For brevity, details are not repeated here.
  • the embodiments of the present application also provide a computer program.
  • the computer program can be applied to the network device in the embodiments of the present application.
  • the computer program When the computer program is run on the computer, it causes the computer to execute the corresponding processes implemented by the network device in each method of the embodiments of the present application. For the sake of brevity. , and will not be repeated here.
  • the computer program can be applied to the mobile terminal/terminal device in the embodiments of the present application, and when the computer program runs on the computer, the computer program is implemented by the mobile terminal/terminal device in each method of the embodiments of the present application.
  • the corresponding process for the sake of brevity, will not be repeated here.
  • the disclosed system, apparatus and method may be implemented in other manners.
  • the apparatus embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented.
  • the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
  • the functions, if implemented in the form of software functional units and sold or used as independent products, may be stored in a computer-readable storage medium.
  • the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution, and the computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program codes .

Abstract

An access authentication method and apparatus. The method comprises: a Zigbee device generating a second random number; according to the second random number and a license key, generating a second device-end key, wherein the license key is a key stored in the Zigbee device and a device platform cloud of the Zigbee device; and performing second access authentication on the Zigbee device according to the second device-end key.

Description

接入认证的方法和装置Method and device for access authentication 技术领域technical field
本申请实施例涉及通信领域,具体涉及一种接入认证的方法和装置。The embodiments of the present application relate to the field of communications, and in particular, to a method and an apparatus for access authentication.
背景技术Background technique
Zigbee(紫蜂协议)技术是一种无线通信技术,基于Zigbee技术的Zigbee设备可以跨域不同的平台进行接入认证。Zigbee (Zigbee Protocol) technology is a wireless communication technology. Zigbee devices based on Zigbee technology can perform access authentication across different platforms.
示例性的,为Zigbee设备进行组网,构建Zigbee网络的是A平台网关,A平台网关对应的平台云为A平台云,而Zigbee设备所属厂商对应的平台云为B平台云。Exemplarily, for networking Zigbee devices, a Zigbee network is constructed by the A platform gateway, the platform cloud corresponding to the A platform gateway is the A platform cloud, and the platform cloud corresponding to the manufacturer of the Zigbee device is the B platform cloud.
如何实现Zigbee设备的跨平台接入认证是一项急需解决的问题。How to realize the cross-platform access authentication of Zigbee devices is an urgent problem to be solved.
发明内容SUMMARY OF THE INVENTION
本申请提供了一种接入认证的方法和装置,能够实现Zigbee设备的跨平台接入认证。The present application provides an access authentication method and apparatus, which can realize cross-platform access authentication of Zigbee devices.
第一方面,提供了一种接入认证的方法,包括:紫峰协议Zigbee设备生成第二随机数;根据所述第二随机数和许可密钥生成第二设备端密钥,所述许可密钥是存放于所述Zigbee设备以及所述Zigbee设备的设备平台云中的密钥;根据所述第二设备端密钥进行所述Zigbee设备的第二接入认证。A first aspect provides an access authentication method, comprising: generating a second random number by a Zigbee device of Zifeng protocol; generating a second device-side key according to the second random number and a license key, the license key is the key stored in the Zigbee device and the device platform cloud of the Zigbee device; the second access authentication of the Zigbee device is performed according to the second device-side key.
第二方面,提供了一种接入认证的方法,包括:设备平台云根据第一随机数和许可密钥生成第一云端密钥,其中,所述设备平台云是紫蜂协议Zigbee设备所属的厂商的云端服务器,所述许可密钥是存放于所述Zigbee设备以及所述Zigbee设备的设备平台云中的密钥,所述第一随机数是所述设备平台云生成的,或者所述第一随机数是从配网平台云获取的,所述配网平台云是支持构建Zigbee网络的配网平台网关对应的云端服务器;根据所述第一云端密钥进行所述Zigbee设备的第一接入认证。In a second aspect, an access authentication method is provided, including: a device platform cloud generating a first cloud key according to a first random number and a license key, wherein the device platform cloud belongs to the Zigbee device of the Zigbee protocol The cloud server of the manufacturer, the license key is a key stored in the Zigbee device and the device platform cloud of the Zigbee device, the first random number is generated by the device platform cloud, or the first random number is A random number is obtained from the distribution network platform cloud, which is the cloud server corresponding to the distribution network platform gateway supporting the construction of Zigbee networks; the first connection of the Zigbee device is performed according to the first cloud key. Enter certification.
第三方面,提供了一种接入认证的方法,包括:配网平台网关接收紫峰协议Zigbee设备发送的第二随机数和第一设备端密钥,其中,所述配网平台网关支持构建Zigbee网络,所述第一设备端密钥是所述Zigbee设备根据第一随机数和所述Zigbee设备的许可密钥生成的,所述第二随机数用于所述Zigbee设备的设备平台云确定第二云端密钥,所述第二云端密钥用于所述Zigbee设备的第二接入认证;In a third aspect, a method for access authentication is provided, including: a distribution network platform gateway receiving a second random number and a first device-side key sent by a Zigbee device of Zifeng protocol, wherein the distribution network platform gateway supports the construction of Zigbee network, the first device-side key is generated by the Zigbee device according to the first random number and the license key of the Zigbee device, and the second random number is used by the device platform cloud of the Zigbee device to determine the first Two cloud keys, the second cloud keys are used for the second access authentication of the Zigbee device;
所述配网平台网关向配网平台云发送第一接入认证请求,所述第一接入认证请求包括所述第二随机数,或者所述第一接入认证请求包括所述第二随机数和所述第一设备端密钥,所述第一设备端密钥用于所述设备平台云对所述Zigbee设备进行第一接入认证,所述配网平台云是所述配网平台网关对应的云端服务器。The distribution network platform gateway sends a first access authentication request to the distribution network platform cloud, where the first access authentication request includes the second random number, or the first access authentication request includes the second random number number and the first device-side key, the first device-side key is used for the first access authentication of the Zigbee device by the device platform cloud, and the distribution network platform cloud is the distribution network platform The cloud server corresponding to the gateway.
第四方面,提供了一种接入认证的方法,包括:获取紫峰协议Zigbee设备的设备信息,其中,所述Zigbee设备的设备信息包括所述Zigbee设备的设备协议类型,所述Zigbee设备的设备地址标识和所述Zigbee设备的厂商标识;根据所述Zigbee设备所属的设备协议类型确定配网平台网关,其中,所述配网平台网关支持构建Zigbee网络;向所述配网平台网关发送所述Zigbee设备的设备信息。In a fourth aspect, an access authentication method is provided, including: acquiring device information of a Zigbee device with a Zigbee protocol, wherein the device information of the Zigbee device includes a device protocol type of the Zigbee device, the device of the Zigbee device The address identifier and the manufacturer identifier of the Zigbee device; the network distribution platform gateway is determined according to the device protocol type to which the Zigbee device belongs, wherein the distribution network platform gateway supports building a Zigbee network; Device information for Zigbee devices.
第五方面,提供了一种接入认证装置,用于执行上述第一方面或其各实现方式中的方法。具体地,该装置包括用于执行上述第一方面或其各实现方式中的方法的功能模块。In a fifth aspect, an access authentication apparatus is provided, which is configured to execute the method in the above-mentioned first aspect or each implementation manner thereof. Specifically, the apparatus includes functional modules for executing the methods in the above-mentioned first aspect or each implementation manner thereof.
第六方面,提供了一种接入认证装置,用于执行上述第二方面或其各实现方式中的方法。具体地,该装置包括用于执行上述第二方面或其各实现方式中的方法的功能模块。In a sixth aspect, an access authentication apparatus is provided, which is configured to execute the method in the second aspect or each of its implementations. Specifically, the apparatus includes functional modules for executing the methods in the second aspect or the respective implementation manners thereof.
第七方面,提供了一种接入认证装置,用于执行上述第三方面或其各实现方式中的方法。具体地,该装置包括用于执行上述第三方面或其各实现方式中的方法的功能模块。In a seventh aspect, an access authentication apparatus is provided, which is configured to execute the method in the third aspect or each of its implementations. Specifically, the apparatus includes functional modules for executing the methods in the third aspect or each of its implementations.
第八方面,提供了一种接入认证装置,用于执行上述第四方面或其各实现方式中的方法。具体地,该装置包括用于执行上述第四方面或其各实现方式中的方法的功能模块。In an eighth aspect, an access authentication apparatus is provided, which is configured to execute the method in the above-mentioned fourth aspect or each implementation manner thereof. Specifically, the apparatus includes functional modules for executing the methods in the fourth aspect or the respective implementation manners thereof.
第九方面,提供了一种接入认证装置,包括处理器和存储器。该存储器用于存储计 算机程序,该处理器用于调用并运行该存储器中存储的计算机程序,执行上述第一方面至第四方面中的任一实现方式或其各实现方式中的方法。In a ninth aspect, an access authentication apparatus is provided, including a processor and a memory. The memory is used for storing a computer program, and the processor is used for calling and running the computer program stored in the memory to execute any one of the implementation manners of the first aspect to the fourth aspect or the method in each implementation manner thereof.
第十方面,提供了一种芯片,用于实现上述第一方面至第四方面中的任一方面或其各实现方式中的方法。具体地,该芯片包括:处理器,用于从存储器中调用并运行计算机程序,使得安装有该装置的设备执行如上述第一方面至第四方面中的任一方面或其各实现方式中的方法。According to a tenth aspect, a chip is provided for implementing any one of the above-mentioned first to fourth aspects or the method in each implementation manner thereof. Specifically, the chip includes: a processor for invoking and running a computer program from a memory, so that a device on which the device is installed executes any one of the above-mentioned first to fourth aspects or each of its implementations method.
第十一方面,提供了一种计算机可读存储介质,用于存储计算机程序,该计算机程序使得计算机执行上述第一方面至第四方面中的任一方面或其各实现方式中的方法。In an eleventh aspect, a computer-readable storage medium is provided for storing a computer program, the computer program causing a computer to execute the method in any one of the above-mentioned first to fourth aspects or each of its implementations.
第十二方面,提供了一种计算机程序产品,包括计算机程序指令,所述计算机程序指令使得计算机执行上述第一方面至第四方面中的任一方面或其各实现方式中的方法。In a twelfth aspect, a computer program product is provided, comprising computer program instructions, the computer program instructions causing a computer to perform the method in any one of the above-mentioned first to fourth aspects or the implementations thereof.
第十三方面,提供了一种计算机程序,当其在计算机上运行时,使得计算机执行上述第一方面至第四方面中的任一方面或其各实现方式中的方法。A thirteenth aspect provides a computer program that, when run on a computer, causes the computer to perform the method in any one of the above-mentioned first to fourth aspects or the implementations thereof.
通过上述技术方案,通过在OLA设备格式中定义设备协议类型字段,用于指示OLA设备对应的协议类型,例如,若指示协议类型为Zigbee设备,则可以通过支持该Zigbee协议的配网平台网关、配网平台云以及该Zigbee设备对应的设备平台云对Zigbee设备进行接入认证,从而能够实现跨平台的接入认证。Through the above technical solution, the device protocol type field is defined in the OLA device format to indicate the protocol type corresponding to the OLA device. For example, if the indicated protocol type is a Zigbee device, the network distribution platform gateway that supports the Zigbee protocol, The distribution network platform cloud and the device platform cloud corresponding to the Zigbee device perform access authentication for the Zigbee device, thereby enabling cross-platform access authentication.
附图说明Description of drawings
图1是本申请一个示例性实施例提供的Zigbee设备跨平台接入认证系统的框图。FIG. 1 is a block diagram of a Zigbee device cross-platform access authentication system provided by an exemplary embodiment of the present application.
图2至图10是本申请示例性实施例提供的接入认证方法的流程图。FIG. 2 to FIG. 10 are flowcharts of the access authentication method provided by the exemplary embodiment of the present application.
图11是根据本申请实施例提供的一种接入认证装置的示意性框图。FIG. 11 is a schematic block diagram of an access authentication apparatus provided according to an embodiment of the present application.
图12是根据本申请实施例提供的一种接入认证装置的示意性框图。FIG. 12 is a schematic block diagram of an access authentication apparatus provided according to an embodiment of the present application.
图13是根据本申请实施例提供的一种接入认证装置的示意性框图。FIG. 13 is a schematic block diagram of an access authentication apparatus provided according to an embodiment of the present application.
图14是根据本申请实施例提供的一种接入认证装置的示意性框图。FIG. 14 is a schematic block diagram of an access authentication apparatus provided according to an embodiment of the present application.
图15是本申请一个示例性实施例提供的计算机设备的结构示意图。FIG. 15 is a schematic structural diagram of a computer device provided by an exemplary embodiment of the present application.
具体实施方式Detailed ways
为便于理解本申请实施例的技术方案,以下通过具体实施例详述本申请的技术方案。以下相关技术作为可选方案与本申请实施例的技术方案可以进行任意结合,其均属于本申请实施例的保护范围。本申请实施例包括以下内容中的至少部分内容。In order to facilitate the understanding of the technical solutions of the embodiments of the present application, the technical solutions of the present application are described in detail below through specific embodiments. The following related technologies can be arbitrarily combined with the technical solutions of the embodiments of the present application as optional solutions, which all belong to the protection scope of the embodiments of the present application. The embodiments of the present application include at least part of the following contents.
首先,对本申请实施例中涉及的术语进行简单介绍:First, the terms involved in the embodiments of this application are briefly introduced:
Zigbee(紫蜂协议)技术:Zigbee (Zigbee Protocol) technology:
Zigbee是基于电气和电子工程师协会(Institute of Electrical and Electronics Engineers,IEEE)802.15.4标准的低功耗局域网协议。根据国际标准规定,ZigBee技术是一种短距离、低功耗的无线通信技术。Zigbee is a low-power local area network protocol based on the Institute of Electrical and Electronics Engineers (IEEE) 802.15.4 standard. According to international standards, ZigBee technology is a short-range, low-power wireless communication technology.
由于ZigBee技术通常的传输距离小于1公里(即短距离),因此主要用于个人局域网(Personal Area Network,PAN)。Since the usual transmission distance of ZigBee technology is less than 1 km (ie short distance), it is mainly used in Personal Area Network (PAN).
信标(Beacon)帧:Beacon frame:
根据IEEE802.15.4中关于信标的规范,规定了两种信标帧格式,一种是常规信标帧,另外一种为增强信标(Enhance Beacon)帧。According to the beacon specification in IEEE802.15.4, two beacon frame formats are specified, one is a conventional beacon frame, and the other is an enhanced beacon (Enhance Beacon) frame.
其中,增强信标帧中与常规信标帧的区别在于在可变(variable)的数据中多了信息单元(Information Elements,IEs)字段,少了时隙保障(Guaranteed Time Slot,GTS)字段和挂起地址(Pending Address)字段。Among them, the difference between the enhanced beacon frame and the conventional beacon frame is that there are more Information Elements (Information Elements, IEs) fields in the variable (variable) data, and there are fewer Guaranteed Time Slots (GTS) fields and Pending Address field.
结合参考如下表一。Refer to Table 1 below.
表一:增强信标帧Table 1: Enhanced Beacon Frames
Figure PCTCN2021071140-appb-000001
Figure PCTCN2021071140-appb-000001
Figure PCTCN2021071140-appb-000002
Figure PCTCN2021071140-appb-000002
如表一所示,在增强信标帧中,信息单元字段又分为头信息单元(Header IEs)和载荷信息单元(Payload IEs);As shown in Table 1, in the enhanced beacon frame, the information element field is further divided into header information elements (Header IEs) and payload information elements (Payload IEs);
在头信息单元中,当单元标识(Element ID)为0时,表示由厂商自定义信息填充该内容,其中,数据长度范围在0-127个字节,前3个字节可以为供应商(Vendor)组织唯一标识符(Organizationally Unique Identifier,OUI),剩余的字节可以根据厂商需求自定义。在本申请实施例中,在头信息单元中填充第一随机数、设备标识和厂商标识。In the header information unit, when the unit ID (Element ID) is 0, it means that the content is filled with the manufacturer-defined information, where the data length ranges from 0 to 127 bytes, and the first 3 bytes can be the supplier ( Vendor) Organizationally Unique Identifier (OUI), the remaining bytes can be customized according to the needs of the manufacturer. In this embodiment of the present application, the header information unit is filled with the first random number, the device identifier and the manufacturer identifier.
支持Zigbee协议的设备为Zigbee设备,Zigbee设备对应有一个唯一的安装码(Install Code),Zigbee网关需要获取Zigbee设备的安装码,从而将Zigbee设备接入Zigbee网关所创建的Zigbee网络。The device that supports the Zigbee protocol is a Zigbee device, and the Zigbee device corresponds to a unique installation code (Install Code). The Zigbee gateway needs to obtain the installation code of the Zigbee device, so as to connect the Zigbee device to the Zigbee network created by the Zigbee gateway.
相关技术中,通过使用手机扫描Zigbee设备的二维码或者在手机上手动输入的方式,获取Zigbee设备的安装码,再由手机将安装码发送给Zigbee网关,需要的人为交互较多。In the related art, the installation code of the Zigbee device is obtained by scanning the QR code of the Zigbee device with the mobile phone or manually inputting the mobile phone, and then the mobile phone sends the installation code to the Zigbee gateway, which requires more human interaction.
同时,上述相关技术也未实现Zigbee设备的跨平台接入认证,亟需Zigbee设备的跨平台接入认证的解决方案。Meanwhile, the above-mentioned related technologies do not realize the cross-platform access authentication of Zigbee devices, and a solution for cross-platform access authentication of Zigbee devices is urgently needed.
应理解,在本申请实施例中,Zigbee设备可以为一种开发智能联盟(Open link Association,OLA)设备,OLA设备的信息可以为特定格式。在本申请实施例中,可以在该格式中增加设备协议类型字段,用于指示该OLA设备所属的协议类型,例如,Zigbee协议类型还是其他协议类型。It should be understood that, in this embodiment of the present application, the Zigbee device may be an open link association (Open link Association, OLA) device, and the information of the OLA device may be in a specific format. In this embodiment of the present application, a device protocol type field may be added to the format to indicate the protocol type to which the OLA device belongs, for example, the Zigbee protocol type or other protocol types.
下面,对本申请提供的方案进行示例性的说明。Below, the solution provided by the present application is exemplarily described.
图1示出了本申请一个示例性实施例提供的Zigbee设备跨平台接入认证系统的框图,该系统可以包括:Zigbee设备12、配网平台网关141、配网平台云142和设备平台云16。FIG. 1 shows a block diagram of a Zigbee device cross-platform access authentication system provided by an exemplary embodiment of the present application. The system may include: Zigbee device 12 , distribution network platform gateway 141 , distribution network platform cloud 142 and device platform cloud 16 .
Zigbee设备12是支持Zigbee技术,可以接入Zigbee网络的设备。可选的,Zigbee设备12为智能设备(如VR(Virtual Reality,虚拟现实)眼镜、智能可穿戴设备等)、终端设备,或者其它具备网络接入能力的设备,本申请实施例对此不作限定。在一个示例中,在Zigbee设备跨平台接入认证系统应用于智能家居生活的情况下,Zigbee设备12可以是智能电视、智能音箱、智能空调、智能电灯、智能门窗、智能窗帘、智能插座等智能家居设备。可选的,Zigbee设备12为一个,或者,Zigbee设备12为多个,本申请实施例对此不作限定,实际应用中,Zigbee设备12的数量可以结合应用需求或者配网平台网关141所能管理的最大设备数量等确定。The Zigbee device 12 is a device that supports the Zigbee technology and can access the Zigbee network. Optionally, the Zigbee device 12 is a smart device (such as VR (Virtual Reality, virtual reality) glasses, a smart wearable device, etc.), a terminal device, or other device with network access capability, which is not limited in this embodiment of the present application. . In an example, when the Zigbee device cross-platform access authentication system is applied to smart home life, the Zigbee device 12 can be smart TV, smart speaker, smart air conditioner, smart light, smart doors and windows, smart curtains, smart sockets, etc. home equipment. Optionally, there is one Zigbee device 12, or there are multiple Zigbee devices 12, which are not limited in this embodiment of the present application. In practical applications, the number of Zigbee devices 12 can be combined with application requirements or can be managed by the distribution network platform gateway 141. The maximum number of devices, etc. are determined.
Zigbee设备12由配网平台网关141配置入网,配网平台网关141对应的云端服务器是配网平台云142。配网平台网关141与配网平台云142之间通过有线或无线网络相连。The Zigbee device 12 is configured to access the network by the distribution network platform gateway 141 , and the cloud server corresponding to the distribution network platform gateway 141 is the distribution network platform cloud 142 . The distribution network platform gateway 141 and the distribution network platform cloud 142 are connected through a wired or wireless network.
配网平台网关141是指具备配置Zigbee网络能力的设备。可选的,配网平台网关141可以是服务器、终端设备、路由器、终端设备、手机、平板电脑、可穿戴设备,或者其它具备配置入网能力的设备,本申请实施例对此不作限定,实际应用中,配网平台网关141的实现形态可以结合Zigbee设备跨平台接入认证系统的应用情景确定。在一个示例中,在Zigbee设备跨平台接入认证系统应用于智能家居生活的情况下,考虑到家居环境具有面积小、活动频繁等特点,使用占用空间较大的配网平台网关141会影响正常的家居生活,配网平台网关141可以实现为路由器、终端设备、手机、平板电脑、可穿戴设备等。可选的,配网平台网关141的数量可以为一个,也可以为多个,本申请实施例对此不作限定,通常,出于节约资源等方面的考虑,配网平台网关141的数量为一个。The distribution network platform gateway 141 refers to a device capable of configuring a Zigbee network. Optionally, the network distribution platform gateway 141 may be a server, a terminal device, a router, a terminal device, a mobile phone, a tablet computer, a wearable device, or any other device capable of configuring network access, which is not limited in this embodiment of the present application, and practical application , the implementation form of the distribution network platform gateway 141 can be determined in combination with the application scenario of the Zigbee device cross-platform access authentication system. In an example, when the Zigbee device cross-platform access authentication system is applied to smart home life, considering that the home environment has the characteristics of small area and frequent activities, the use of the distribution network platform gateway 141 that occupies a large space will affect the normal operation. For the home life, the distribution network platform gateway 141 can be implemented as a router, a terminal device, a mobile phone, a tablet computer, a wearable device, and the like. Optionally, the number of distribution network platform gateways 141 may be one or multiple, which is not limited in this embodiment of the present application. Generally, for the consideration of resource saving and other aspects, the number of distribution network platform gateways 141 is one. .
Zigbee设备12基于设备平台云16开发,Zigbee设备12的许可密钥Kc存储在设备平台云16。The Zigbee device 12 is developed based on the device platform cloud 16 , and the license key Kc of the Zigbee device 12 is stored in the device platform cloud 16 .
配网平台云142和设备平台云16之间存在通信链路。可选的,配网平台云142向设备平台云16发送Zigbee设备12的接入认证过程中所需的信息;或,向配网平台网关141转发Zigbee设备12的接入认证过程中所需的信息。A communication link exists between the distribution network platform cloud 142 and the device platform cloud 16 . Optionally, the distribution network platform cloud 142 sends the information required in the access authentication process of the Zigbee device 12 to the device platform cloud 16; or, forwards the information required in the access authentication process of the Zigbee device 12 to the distribution network platform gateway 141. information.
其中,上述配网平台云142和设备平台云16是云技术领域中的云计算资源池,在资源池中部署多种类型的虚拟资源,供外部客户选择使用。云计算资源池中主要包括:计算设备(为虚拟化机器,包含操作系统)、存储设备、网络设备。其可以是独立的物理服务器,也可以是多个物理服务器构成的服务器集群或者分布式系统,还可以是提供云服务、云数据库、云计算、云函数、云存储、网络服务、云通信、中间件服务、域名服务、安全服务、内容分发网络(Content Delivery Network,CDN)、以及大数据和人工智能平台等基础云计算服务的云服务器。The above-mentioned distribution network platform cloud 142 and device platform cloud 16 are cloud computing resource pools in the field of cloud technology, and multiple types of virtual resources are deployed in the resource pools for external customers to choose and use. The cloud computing resource pool mainly includes: computing devices (which are virtualized machines, including operating systems), storage devices, and network devices. It can be an independent physical server, or a server cluster or distributed system composed of multiple physical servers, or it can provide cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, intermediate Cloud servers for basic cloud computing services such as software services, domain name services, security services, Content Delivery Network (CDN), and big data and artificial intelligence platforms.
可选的,该系统还可以包括控制设备18,配网平台网关141与控制设备18之间通过有线或无线网络相连。控制设备18是供用户进行操作,以对配网平台网关141进行控制的设备。如:用户可以使用控制设备18上的应用程序(Application)激活配网平台网关141。控制设备18可以实现为终端设备、手机、平板电脑、可穿戴设备等。Optionally, the system may further include a control device 18, and the distribution network platform gateway 141 and the control device 18 are connected through a wired or wireless network. The control device 18 is a device for the user to operate to control the distribution network platform gateway 141 . For example, the user can activate the distribution network platform gateway 141 by using the application program (Application) on the control device 18 . The control device 18 can be implemented as a terminal device, a mobile phone, a tablet computer, a wearable device, and the like.
图2示出了本申请一个示例性实施例提供的接入认证的方法的流程图。该方法可以应用于如图1示出的Zigbee设备跨平台接入认证系统中。FIG. 2 shows a flowchart of an access authentication method provided by an exemplary embodiment of the present application. The method can be applied to the Zigbee device cross-platform access authentication system as shown in FIG. 1 .
需要说明的是,在本申请实施例中,Zigbee设备是支持Zigbee技术,可以接入Zigbee网络的设备。可选的,Zigbee设备包括各种类型的家居设备(如电灯)、工业资产(如医院中的检查设备)等。设备平台云是Zigbee设备开发所对应的云端服务器。也即,设备平台云是Zigbee设备所属的厂商对应的云端服务器。所述配网平台网关支持构建Zigbee网络。配网平台云是配网平台网关对应的云端服务器。It should be noted that, in this embodiment of the present application, a Zigbee device is a device that supports the Zigbee technology and can access a Zigbee network. Optionally, Zigbee devices include various types of household equipment (such as electric lights), industrial assets (such as inspection equipment in hospitals), and the like. The device platform cloud is the cloud server corresponding to Zigbee device development. That is, the device platform cloud is the cloud server corresponding to the manufacturer to which the Zigbee device belongs. The distribution network platform gateway supports the construction of a Zigbee network. The distribution network platform cloud is the cloud server corresponding to the distribution network platform gateway.
应理解,在本申请实施例中,所述Zigbee设备的接入认证过程可以包括第一接入认证过程和第二接入认证过程,其中,所述第一接入认证过程是设备平台云对Zigbee设备进行认证,即云端认证设备,第二接入认证过程是由Zigbee设备对设备平台云进行认证,即设备认证云端。本申请实施例对于这两个认证过程的执行顺序不作限定。It should be understood that, in this embodiment of the present application, the access authentication process of the Zigbee device may include a first access authentication process and a second access authentication process, wherein the first access authentication process is a device platform cloud authentication process. The Zigbee device is authenticated, that is, the cloud authentication device. The second access authentication process is that the Zigbee device authenticates the device platform cloud, that is, the device authentication cloud. This embodiment of the present application does not limit the execution order of the two authentication processes.
其中,在第一接入认证过程中,Zigbee设备可以根据第一随机数和该Zigbee设备许可密钥生成第一设备端密钥,设备平台云可以根据第一随机数和许可密钥生成第一云端密钥,该第一设备端密钥和第一云端密钥可以用于第一接入认证。Wherein, in the first access authentication process, the Zigbee device can generate the first device-side key according to the first random number and the Zigbee device license key, and the device platform cloud can generate the first device-side key according to the first random number and the license key. Cloud key, the first device-side key and the first cloud key can be used for the first access authentication.
可选地,所述第一随机数可以是设备云平台生成的,或者也可以是配网平台云生成的,本申请对此不作限定。Optionally, the first random number may be generated by a device cloud platform, or may also be generated by a distribution network platform cloud, which is not limited in this application.
在第二接入认证过程中,Zigbee设备可以根据第二随机数和许可密钥生成第二设备端密钥,设备平台云可以根据第二随机数和许可密钥生成第二云端密钥,该第二设备端密钥和第二云端密钥可以用于第二接入认证。In the second access authentication process, the Zigbee device can generate a second device-side key according to the second random number and the license key, and the device platform cloud can generate a second cloud key according to the second random number and the license key. The second device-side key and the second cloud key can be used for the second access authentication.
图2示出了先执行第一接入认证,后执行第二接入认证过程的示意性交互图。FIG. 2 shows a schematic interaction diagram of performing the first access authentication first and then performing the second access authentication process.
应理解,在执行图2所示流程之前,配网平台网关和Zigbee设备已建立基于认证端信任中心链接密钥(Trust Center Link Key,TCLK)的安全连接,其中,TCLK是基于安装码(Install Code)以及许可密钥Kc生成的密钥。示例性的,TCLK=AES-MMO(Install Code)。It should be understood that before executing the process shown in FIG. 2, the distribution network platform gateway and the Zigbee device have established a secure connection based on the authentication end trust center link key (Trust Center Link Key, TCLK), wherein TCLK is based on the installation code (Install Code). Code) and the key generated by the license key Kc. Exemplarily, TCLK=AES-MMO (Install Code).
如图2所示,该方法包括至少部分如下内容:As shown in Figure 2, the method includes at least part of the following:
S21,Zigbee设备生成第二随机数R2。S21, the Zigbee device generates a second random number R2.
S22,Zigbee设备根据第一随机数R1和该Zigbee设备的许可密钥,生成第一设备端密钥。S22, the Zigbee device generates a first device-side key according to the first random number R1 and the license key of the Zigbee device.
可选的,在第一设备端密钥之后,Zigbee设备将第一设备端密钥存储于自定义簇的属性中。自定义簇包括至少一个属性(Attribute),属性是反映Zigbee设备的状态或性 质的一种数据实体。在本申请实施例中,属性用于存储Zigbee设备对应的设备端密钥。可选的,自定义簇的访问类型为写后返回。Optionally, after the first device-side key, the Zigbee device stores the first device-side key in the attribute of the custom cluster. The custom cluster includes at least one attribute (Attribute), which is a data entity that reflects the state or property of the Zigbee device. In this embodiment of the present application, the attribute is used to store the device-side key corresponding to the Zigbee device. Optionally, the access type of the custom cluster is return after write.
在一些实施例中,Zigbee设备采用密钥生成算法,对第一随机数R1以及许可密钥Kc进行处理,生成第一设备端密钥Auth1。可选的,所述密钥生成算法是一种对称加密算法,所述密钥生成算法包括:高级加密标准(Advanced Encryption Standard,AES)-MMO(Matyas-Meyer-Oseas)哈希算法。示例性的,Auth1=AES-MMO(Kc|R1)。In some embodiments, the Zigbee device uses a key generation algorithm to process the first random number R1 and the license key Kc to generate the first device-side key Auth1. Optionally, the key generation algorithm is a symmetric encryption algorithm, and the key generation algorithm includes: an Advanced Encryption Standard (Advanced Encryption Standard, AES)-MMO (Matyas-Meyer-Oseas) hash algorithm. Exemplarily, Auth1=AES-MMO(Kc|R1).
S23,Zigbee设备向配网平台网关发送第二随机数R2和所述第一设备端密钥Auth1。S23, the Zigbee device sends the second random number R2 and the first device-side key Auth1 to the distribution network platform gateway.
S24,配网平台网关向配网平台云发送第一接入认证请求,所述第一接入认证请求包括所述第二随机数R2和第一设备端密钥Auth1。S24: The distribution network platform gateway sends a first access authentication request to the distribution network platform cloud, where the first access authentication request includes the second random number R2 and the first device-side key Auth1.
可选地,所述第一接入认证请求还可以包括所述Zigbee设备的设备地址标识,所述Zigbee设备的设备地址标识用于标识Zigbee设备的媒体接入控制(Medium Access Control,MAC)层地址,设备地址标识用于唯一地标识一个Zigbee设备,设备地址标识可以为一个64位地址。示例性的,设备地址标识为扩展唯一标识(Extended Unique Identifier,EUI)。Optionally, the first access authentication request may also include a device address identifier of the Zigbee device, and the device address identifier of the Zigbee device is used to identify the medium access control (Medium Access Control, MAC) layer of the Zigbee device. Address, the device address identifier is used to uniquely identify a Zigbee device, and the device address identifier can be a 64-bit address. Exemplarily, the device address is identified as an Extended Unique Identifier (EUI).
可选地,所述第一接入认证请求还可以包括所述Zigbee设备的厂商标识(Company Identifier,CID),厂商标识用于标识Zigbee设备所属的厂商,厂商标识可以为3个字节。Optionally, the first access authentication request may further include a company identifier (Company Identifier, CID) of the Zigbee device, where the manufacturer identifier is used to identify the manufacturer to which the Zigbee device belongs, and the manufacturer identifier may be 3 bytes.
S25,配网平台云向设备平台云根据所述第一接入认证请求中的厂商标识确定所述Zigbee设备对应的设备平台云,进一步向所述设备平台云发送第二接入认证请求,所述第二接入认证请求包括所述第二随机数R2和第一设备端密钥。S25, the distribution network platform cloud determines the device platform cloud corresponding to the Zigbee device to the device platform cloud according to the manufacturer identifier in the first access authentication request, and further sends a second access authentication request to the device platform cloud, so The second access authentication request includes the second random number R2 and the first device-side key.
可选地,所述第二接入认证请求还可以包括所述Zigbee设备的设备地址标识,所述Zigbee设备的设备地址标识用于标识Zigbee设备的MAC地址。示例性的,设备地址标识为EUI。Optionally, the second access authentication request may further include a device address identifier of the Zigbee device, where the device address identifier of the Zigbee device is used to identify the MAC address of the Zigbee device. Exemplarily, the device address is identified as EUI.
S26,所述设备平台云根据第二接入认证请求中的设备地址标识确定该Zigbee设备的许可密钥Kc,进一步根据所述第一随机数和所述许可密钥生成第一云端密钥Auth1’。S26, the device platform cloud determines the license key Kc of the Zigbee device according to the device address identifier in the second access authentication request, and further generates a first cloud key Auth1 according to the first random number and the license key '.
在一些实施例中,设备平台云采用密钥生成算法,对第一随机数R1以及许可密钥Kc进行处理,生成第一云端端密钥Auth1’。可选的,所述密钥生成算法是一种对称加密算法,所述密钥生成算法包括:高级加密标准(Advanced Encryption Standard,AES)-MMO(Matyas-Meyer-Oseas)哈希算法。示例性的,Auth1’=AES-MMO(Kc|R1)。In some embodiments, the device platform cloud uses a key generation algorithm to process the first random number R1 and the license key Kc to generate the first cloud-end key Auth1'. Optionally, the key generation algorithm is a symmetric encryption algorithm, and the key generation algorithm includes: an Advanced Encryption Standard (Advanced Encryption Standard, AES)-MMO (Matyas-Meyer-Oseas) hash algorithm. Exemplarily, Auth1'=AES-MMO(Kc|R1).
S27,所述设备平台云根据第一云端密钥Auth1’和第二接入请求认证中的第一设备端密钥Auth1,进行第一接入认证。S27, the device platform cloud performs the first access authentication according to the first cloud key Auth1' and the first device-side key Auth1 in the authentication of the second access request.
例如,在第一云端密钥Auth1’和第一设备端密钥Auth1相等的情况下,确定认证成功,否则认证失败。For example, if the first cloud key Auth1' and the first device-side key Auth1 are equal, it is determined that the authentication is successful, otherwise the authentication fails.
进一步可选地,在认证成功的情况下,根据所述第二随机数R2和许可密钥生成第二云端密钥Auth2’。Further optionally, in the case of successful authentication, a second cloud key Auth2' is generated according to the second random number R2 and the license key.
S28,所述设备平台云向配网平台云发送第二云端密钥Auth2’和所述第二接入认证的认证结果。S28, the device platform cloud sends the second cloud key Auth2' and the authentication result of the second access authentication to the distribution network platform cloud.
S29,所述配网平台云向配网平台网关发送第二云端密钥Auth2’和所述第二接入认证的认证结果。S29, the distribution network platform cloud sends the second cloud key Auth2' and the authentication result of the second access authentication to the distribution network platform gateway.
若所述认证结果为认证成功,执行S291,否则执行S210。If the authentication result is that the authentication is successful, execute S291; otherwise, execute S210.
S291,所述配网平台网关将Zigbee设备添加至设备黑名单。S291, the distribution network platform gateway adds the Zigbee device to the device blacklist.
其中设备黑名单用于记录配网失败的设备。可选的,设备黑名单中的Zigbee设备被移出配网平台网关所构建的Zigbee网络。The device blacklist is used to record the devices that fail to configure the network. Optionally, the Zigbee devices in the device blacklist are removed from the Zigbee network constructed by the distribution network platform gateway.
可以理解的是,由于在第一接入认证过程中,Zigbee设备已加入配网平台网关所构建的Zigbee网络,所以,认证失败之后的配网平台网关将Zigbee设备移出Zigbee网络。It can be understood that, since the Zigbee device has joined the Zigbee network constructed by the distribution platform gateway during the first access authentication process, the distribution platform gateway after the authentication fails removes the Zigbee device from the Zigbee network.
S210,所述配网平台网关向Zigbee设备发送所述第二云端密钥Auth2’。S210, the distribution network platform gateway sends the second cloud key Auth2' to the Zigbee device.
在一些实施例中,所述配网平台网关向所述Zigbee设备的自定义簇发送的写入请求, 所述写入请求携带所述第二云端密钥Auth2’。In some embodiments, the write request sent by the distribution network platform gateway to the custom cluster of the Zigbee device, the write request carries the second cloud key Auth2'.
至此,Zigbee设备获取到所述第二云端密钥Auth2’。So far, the Zigbee device has obtained the second cloud key Auth2'.
进一步地,S211,根据第二随机数R2和许可密钥Kc,生成第二设备端密钥Auth2。Further, in S211, a second device-side key Auth2 is generated according to the second random number R2 and the license key Kc.
可选的,在生成第二设备端密钥之后,Zigbee设备将第二设备端密钥存储于自定义簇的属性中。自定义簇包括至少一个属性(Attribute),属性是反映Zigbee设备的状态或性质的一种数据实体。在本申请实施例中,属性用于存储Zigbee设备对应的设备端密钥。可选的,自定义簇的访问类型为写后返回。Optionally, after generating the second device-side key, the Zigbee device stores the second device-side key in the attribute of the custom cluster. The custom cluster includes at least one attribute (Attribute), and the attribute is a data entity that reflects the state or property of the Zigbee device. In this embodiment of the present application, the attribute is used to store the device-side key corresponding to the Zigbee device. Optionally, the access type of the custom cluster is return after write.
S212,根据第二设备端密钥Auth2和第二云端密钥Auth2’进行第二接入认证。S212: Perform second access authentication according to the second device-side key Auth2 and the second cloud key Auth2'.
例如,例如,在第二云端密钥Auth2’和第二设备端密钥Auth2相等的情况下,确定认证成功,否则认证失败。For example, if the second cloud key Auth2' and the second device-side key Auth2 are equal, it is determined that the authentication is successful, otherwise the authentication fails.
S213,向所述配网平台网关发送第二接入认证的认证结果。S213: Send the authentication result of the second access authentication to the network distribution platform gateway.
例如,在认证成功的情况下,执行S213。For example, if the authentication is successful, S213 is executed.
在认证失败的情况下,所述Zigbee设备主动离开Zigbee网络。进一步可选地,向所述配网平台网关发送第一指示信息,用于指示所述Zigbee设备离开所述Zigbee网络。In the case of authentication failure, the Zigbee device actively leaves the Zigbee network. Further optionally, first indication information is sent to the distribution network platform gateway, which is used to instruct the Zigbee device to leave the Zigbee network.
S214,配网平台网关在认证失败的情况下将Zigbee设备添加至设备黑名单。S214, the distribution network platform gateway adds the Zigbee device to the device blacklist in the case that the authentication fails.
S215,在认证成功的情况下,所述配网平台网关和所述Zigbee设备建立正常连接。S215, in the case of successful authentication, the distribution network platform gateway and the Zigbee device establish a normal connection.
可选的,更新的TCLK用于加密应用程序支持层(Application Support Sublayer,APS)的数据传输。Optionally, the updated TCLK is used to encrypt application support layer (Application Support Sublayer, APS) data transmission.
图3示出了先执行第二接入认证,后执行第一接入认证过程的示意性交互图。FIG. 3 shows a schematic interaction diagram of performing the second access authentication first and then performing the first access authentication process.
应理解,在执行图3所示流程之前,配网平台网关和Zigbee设备已建立基于TCLK的安全连接,其中,TCLK是基于第一随机数以及许可密钥生成的密钥。It should be understood that, before executing the process shown in FIG. 3 , the network distribution platform gateway and the Zigbee device have established a secure connection based on TCLK, where TCLK is a key generated based on the first random number and the license key.
应理解,图3所示实施例和图2实施例中的相同步骤这里不再赘述,具体实现参考图2所示实施例。It should be understood that the same steps in the embodiment shown in FIG. 3 and the embodiment shown in FIG. 2 are not repeated here, and refer to the embodiment shown in FIG. 2 for specific implementation.
如图3所示,该方法包括至少部分如下内容:As shown in Figure 3, the method includes at least part of the following:
S21,Zigbee设备生成第二随机数R2。S21, the Zigbee device generates a second random number R2.
S22,Zigbee设备根据第一随机数R1和该Zigbee设备的许可密钥,生成第一设备端密钥。S22, the Zigbee device generates a first device-side key according to the first random number R1 and the license key of the Zigbee device.
S23,Zigbee设备向配网平台网关发送第二随机数R2和所述第一设备端密钥。S23, the Zigbee device sends the second random number R2 and the first device-side key to the distribution network platform gateway.
可选的,在一些实施例中,S23也可以只发送第二随机数R2,在第二接入认证的认证结果为认证成功的情况下,再发送第一设备端密钥。Optionally, in some embodiments, S23 may also only send the second random number R2, and when the authentication result of the second access authentication is that the authentication is successful, then send the first device-side key.
S220,配网平台网关向配网平台云发送第一接入认证请求,所述第一接入认证请求包括所述第二随机数R2。S220: The distribution network platform gateway sends a first access authentication request to the distribution network platform cloud, where the first access authentication request includes the second random number R2.
可选地,所述第一接入认证请求还可以包括所述Zigbee设备的设备地址标识。Optionally, the first access authentication request may further include a device address identifier of the Zigbee device.
可选地,所述第一接入认证请求还可以包括所述Zigbee设备的厂商标识。Optionally, the first access authentication request may further include the manufacturer identifier of the Zigbee device.
S221,配网平台云向设备平台云根据所述第一接入认证请求中的厂商标识确定所述Zigbee设备对应的设备平台云,进一步向所述设备平台云发送第二接入认证请求,所述第二接入认证请求包括所述第二随机数R2。S221, the network distribution platform cloud determines the device platform cloud corresponding to the Zigbee device to the device platform cloud according to the manufacturer identifier in the first access authentication request, and further sends a second access authentication request to the device platform cloud, where The second access authentication request includes the second random number R2.
可选地,所述第二接入认证请求还可以包括所述Zigbee设备的设备地址标识。Optionally, the second access authentication request may further include a device address identifier of the Zigbee device.
S222,所述设备平台云根据所述第二随机数R2和许可密钥生成第二云端密钥Auth2’。S222, the device platform cloud generates a second cloud key Auth2' according to the second random number R2 and the license key.
S223,所述设备平台云向配网平台云发送第二云端密钥Auth2’。S223, the device platform cloud sends the second cloud key Auth2' to the distribution network platform cloud.
S224,所述配网平台云向配网平台网关发送第二云端密钥Auth2’。S224, the distribution network platform cloud sends the second cloud key Auth2' to the distribution network platform gateway.
S225,所述配网平台网关向Zigbee设备发送所述第二云端密钥Auth2’。S225, the distribution network platform gateway sends the second cloud key Auth2' to the Zigbee device.
在一些实施例中,所述配网平台网关向所述Zigbee设备的自定义簇发送的写入请求,所述写入请求携带所述第二云端密钥Auth2’。In some embodiments, the distribution network platform gateway sends a write request to the custom cluster of the Zigbee device, and the write request carries the second cloud key Auth2'.
至此,Zigbee设备获取到所述第二云端密钥Auth2’。So far, the Zigbee device has obtained the second cloud key Auth2'.
进一步地,S226,根据第二随机数R2和许可密钥Kc,生成第二设备端密钥Auth2。Further, in S226, a second device-side key Auth2 is generated according to the second random number R2 and the license key Kc.
S227,根据第二设备端密钥Auth2和第二云端密钥Auth2’进行第二接入认证。S227: Perform second access authentication according to the second device-side key Auth2 and the second cloud key Auth2'.
例如,例如,在第二云端密钥Auth2’和第二设备端密钥Auth2相等的情况下,确定认证成功,否则认证失败。For example, if the second cloud key Auth2' and the second device-side key Auth2 are equal, it is determined that the authentication is successful, otherwise the authentication fails.
S228,认证失败的情况下,主动离开Zigbee网络。S228, in the case of authentication failure, actively leave the Zigbee network.
进一步可选地,向所述配网平台网关发送第一指示信息,用于指示所述Zigbee设备离开Zigbee网络。Further optionally, first indication information is sent to the distribution network platform gateway, which is used to instruct the Zigbee device to leave the Zigbee network.
S229,向所述配网平台网关发送第二接入认证的认证结果。S229: Send the authentication result of the second access authentication to the network distribution platform gateway.
例如,在认证成功的情况下,所述Zigbee设备执行S229。For example, if the authentication is successful, the Zigbee device executes S229.
S230,配网平台网关在认证成功的情况下向配网平台云发送第三接入认证请求,所述第三接入认证请求包括第一设备端密钥Auth1。S230 , when the authentication is successful, the distribution network platform gateway sends a third access authentication request to the distribution network platform cloud, where the third access authentication request includes the first device-side key Auth1.
可选地,所述第三接入认证请求还可以包括所述Zigbee设备的设备地址标识。Optionally, the third access authentication request may further include a device address identifier of the Zigbee device.
可选地,所述第三接入认证请求还可以包括所述Zigbee设备的厂商标识。Optionally, the third access authentication request may further include the manufacturer identifier of the Zigbee device.
S231,配网平台云向设备平台云发送第四接入认证请求,所述第四接入认证请求包括第一设备端密钥Auth1。S231: The distribution network platform cloud sends a fourth access authentication request to the device platform cloud, where the fourth access authentication request includes the first device-side key Auth1.
S232,设备平台云根据第一随机数R1和许可密钥生成第一云端密钥Auth1’。S232, the device platform cloud generates a first cloud key Auth1' according to the first random number R1 and the license key.
S233,设备平台云根据第一云端密钥Auth1’和发送第一设备端密钥Auth1进行第一接入认证。S233, the device platform cloud performs first access authentication according to the first cloud key Auth1' and sending the first device-side key Auth1.
S234,设备平台云向配网平台云发送第一接入认证的认证结果。S234, the device platform cloud sends the authentication result of the first access authentication to the distribution network platform cloud.
S234,配网平台云向配网平台网关发送第一接入认证的认证结果。S234, the distribution network platform cloud sends the authentication result of the first access authentication to the distribution network platform gateway.
S236,在认证失败的情况下,所述配网平台网关将Zigbee设备添加至设备黑名单。S236, in the case that the authentication fails, the network distribution platform gateway adds the Zigbee device to the device blacklist.
可选的,设备黑名单中的Zigbee设备被移出配网平台网关所构建的Zigbee网络。Optionally, the Zigbee devices in the device blacklist are removed from the Zigbee network constructed by the distribution network platform gateway.
S237,在认证成功的情况下,所述配网平台网关和所述Zigbee设备建立正常连接。S237, in the case of successful authentication, establish a normal connection between the distribution network platform gateway and the Zigbee device.
可选的,更新的TCLK用于加密APS的数据传输。Optionally, the updated TCLK is used to encrypt the data transmission of the APS.
以下,结合图4和图5说明所述Zigbee设备的安装码以及第一随机数的获取方式。Hereinafter, the installation code of the Zigbee device and the acquisition method of the first random number will be described with reference to FIG. 4 and FIG. 5 .
如图4所示,可以包括如下步骤:As shown in Figure 4, the following steps may be included:
S301,配网平台网关向配网平台云发送第一请求,第一请求用于请求Zigbee设备的安装码以及第一随机数。可选地,该第一请求可以称为安装码请求。S301: The distribution network platform gateway sends a first request to the distribution network platform cloud, where the first request is used to request an installation code and a first random number of the Zigbee device. Optionally, the first request may be referred to as an installation code request.
可选地,所述第一请求可以包括所述Zigbee设备的设备地址标识。Optionally, the first request may include a device address identifier of the Zigbee device.
可选地,所述第一请求可以包括所述Zigbee设备的厂商标识。Optionally, the first request may include the manufacturer identifier of the Zigbee device.
S302,配网平台云根据第一请求中的厂商标识确定Zigbee设备对应的设备平台云,进一步向该设备平台云发送安装码请求。S302, the distribution network platform cloud determines a device platform cloud corresponding to the Zigbee device according to the manufacturer identifier in the first request, and further sends an installation code request to the device platform cloud.
可选地,所述安装码请求可以包括所述Zigbee设备的设备地址标识。Optionally, the installation code request may include a device address identifier of the Zigbee device.
可选地,所述安装码请求可以包括所述Zigbee设备的厂商标识。Optionally, the installation code request may include the manufacturer identification of the Zigbee device.
S303,设备平台云根据设备地址标识确定该Zigbee设备的安装码,并产生第一随机数R1。S303, the device platform cloud determines the installation code of the Zigbee device according to the device address identifier, and generates a first random number R1.
S304,设备平台云向配网平台云发送Zigbee设备的安装码以及第一随机数。S304, the device platform cloud sends the installation code of the Zigbee device and the first random number to the distribution network platform cloud.
S305,配网平台云向配网平台网关发送Zigbee设备的安装码以及第一随机数。S305, the distribution network platform cloud sends the installation code of the Zigbee device and the first random number to the distribution network platform gateway.
S306,配网平台网关向Zigbee设备发送所述第一随机数。S306, the distribution network platform gateway sends the first random number to the Zigbee device.
在图5所示示例中,所述Zigbee设备的安装码可以是从Zigbee设备中获取的,例如终端设备可以从所述Zigbee设备中获取该Zigbee设备的设备信息,例如,可以通过扫码Zigbee设备的二维码的方式获取,但本申请并不限于此。其中,该Zigbee设备的设备信息可以包括安装码,进一步地,该终端设备可以将该Zigbee设备的设备信息发送给配网平台网关,从而配网平台网关可以获知该Zigbee设备的安装码。In the example shown in FIG. 5 , the installation code of the Zigbee device may be obtained from the Zigbee device, for example, the terminal device may obtain the device information of the Zigbee device from the Zigbee device, for example, by scanning the code of the Zigbee device However, this application is not limited to this. The device information of the Zigbee device may include an installation code. Further, the terminal device may send the device information of the Zigbee device to the distribution network platform gateway, so that the distribution network platform gateway can learn the installation code of the Zigbee device.
可选地,该终端设备可以对应于前文中的控制设备18。Optionally, the terminal device may correspond to the control device 18 in the foregoing.
如图5所示,可以包括如下步骤:As shown in Figure 5, the following steps may be included:
S401,配网平台网关向配网平台云发送第一请求,第一请求用于请求第一随机数。可选地,该第一请求可以称为随机数请求。S401, the distribution network platform gateway sends a first request to the distribution network platform cloud, where the first request is used to request a first random number. Optionally, the first request may be referred to as a random number request.
可选地,所述第一请求可以包括所述Zigbee设备的设备地址标识。Optionally, the first request may include a device address identifier of the Zigbee device.
可选地,所述第一请求可以包括所述Zigbee设备的厂商标识。Optionally, the first request may include the manufacturer identifier of the Zigbee device.
S402,配网平台云生成第一随机数R1。S402, the distribution network platform cloud generates a first random number R1.
S403,配网平台云根据第一请求中的厂商标识确定Zigbee设备对应的设备平台云,进一步向该设备平台云发送第一随机数R1以及所述Zigbee设备的设备地址标识。S403, the distribution network platform cloud determines the device platform cloud corresponding to the Zigbee device according to the manufacturer identifier in the first request, and further sends the first random number R1 and the device address identifier of the Zigbee device to the device platform cloud.
S404,设备平台云建立第一随机数R1和该Zigbee设备的对应关系。S404, the device platform cloud establishes a corresponding relationship between the first random number R1 and the Zigbee device.
S405,配网平台云向配网平台网关发送第一随机数。S405, the distribution network platform cloud sends a first random number to the distribution network platform gateway.
S406,配网平台网关向Zigbee设备发送所述第一随机数。S406, the distribution network platform gateway sends the first random number to the Zigbee device.
以下,结合图6对获取Zigbee设备的设备信息的具体过程进行说明。Hereinafter, the specific process of acquiring the device information of the Zigbee device will be described with reference to FIG. 6 .
如图6所示,可以包括如下至少部分步骤:As shown in Figure 6, at least some of the following steps may be included:
S501,终端设备获取该Zigbee设备的设备信息。S501, a terminal device acquires device information of the Zigbee device.
可选地,所述Zigbee设备的设备信息包括所述Zigbee设备的设备协议类型(例如,指示Zigbee),所述Zigbee设备的设备地址标识和所述Zigbee设备的厂商标识。Optionally, the device information of the Zigbee device includes a device protocol type of the Zigbee device (for example, indicating Zigbee), a device address identifier of the Zigbee device, and a manufacturer identifier of the Zigbee device.
可选地,可以通过扫码Zigbee设备的二维码的方式获取,但本申请并不限于此。Optionally, it can be obtained by scanning the QR code of the Zigbee device, but the present application is not limited to this.
可选地,在一些实施例中,该Zigbee设备的设备信息可以包括Zigbee设备的安装码。Optionally, in some embodiments, the device information of the Zigbee device may include an installation code of the Zigbee device.
可选地,所述Zigbee设备的安装码可以为Zigbee设备的PIN码。Optionally, the installation code of the Zigbee device may be the PIN code of the Zigbee device.
S502,终端设备根据Zigbee设备对应的协议类型确定对应的配网平台网关,其中,该配网平台网关支持该Zigbee设备对应的协议类型,例如,若协议类型指示Zigbee,则该配网平台网关支持构建Zigbee网络。S502, the terminal device determines the corresponding network distribution platform gateway according to the protocol type corresponding to the Zigbee device, wherein the network distribution platform gateway supports the protocol type corresponding to the Zigbee device, for example, if the protocol type indicates Zigbee, the network distribution platform gateway supports Build a Zigbee network.
进一步地,在S503中,终端设备向该配网平台网关发送Zigbee设备的设备信息,从而配网平台网关可以获知Zigbee设备的设备信息。Further, in S503, the terminal device sends the device information of the Zigbee device to the network distribution platform gateway, so that the network distribution platform gateway can learn the device information of the Zigbee device.
下面,结合如下实施例,对本申请所示出的方案进行示例性的说明。Hereinafter, the solutions shown in the present application will be exemplarily described with reference to the following examples.
在如下实施例中,以CID表示厂商标识、R1表示第一随机数、EUI表示设备地址标识、R2表示第二随机数、Kc表示许可密钥、Install Code表示设备端安装码、Install Code’表示认证端安装码、TCLK表示设备端信任中心链接密钥、TCLK’表示认证端信任中心链接密钥、Network Key表示网络密钥、Auth1表示第一设备端密钥、Auth1’表示第一云端密钥,Auth2表示第二设备端密钥、Auth2’表示第二云端密钥进行示例性的说明。In the following embodiment, CID is used to represent the manufacturer's identity, R1 to represent the first random number, EUI to represent the device address identifier, R2 to represent the second random number, Kc to represent the license key, Install Code to represent the device-side installation code, and Install Code' to represent Authenticator installation code, TCLK represents the device-side trust center link key, TCLK' represents the authenticator's trust center link key, Network Key represents the network key, Auth1 represents the first device-side key, Auth1' represents the first cloud key , Auth2 represents the second device-side key, and Auth2' represents the second cloud key for exemplary description.
图6示出了本申请一个示例性实施例提供的接入认证方法的流程图。该方法可以应用于如图1示出的Zigbee设备跨平台接入认证系统中,该方法包括:FIG. 6 shows a flowchart of an access authentication method provided by an exemplary embodiment of the present application. The method can be applied to the Zigbee device cross-platform access authentication system as shown in FIG. 1 , and the method includes:
601,配网平台网关构建Zigbee网络;601, the distribution network platform gateway builds a Zigbee network;
602,控制设备获取Zigbee设备的带外信息,对应于前文的设备信息;602, the control device obtains the out-of-band information of the Zigbee device, which corresponds to the preceding device information;
例如,用户通过APP扫描二维码方式获取Zigbee设备的带外信息。For example, the user scans the QR code through the APP to obtain the out-of-band information of the Zigbee device.
603,Zigbee设备的设备信息作为示例,可以包括如下信息:603. As an example, the device information of the Zigbee device may include the following information:
协议字段,用于指示设备协议类型;Protocol field, used to indicate the device protocol type;
MAC字段,例如可以为Zigbee设备的EUI信息;The MAC field, for example, can be the EUI information of the Zigbee device;
CATID,字段用于指示Zigbee设备的厂商标识,例如CID;CATID, the field is used to indicate the manufacturer identification of the Zigbee device, such as CID;
604,Zigbee设备生成广播信标帧(Beacon);604, the Zigbee device generates a broadcast beacon frame (Beacon);
605,控制设备将设备信息发送给配网平台网关。605, the control device sends the device information to the distribution network platform gateway.
例如,用户通过APP将CID|EUI发送给配网平台网关;For example, the user sends the CID|EUI to the distribution network platform gateway through the APP;
606,配网平台网关存储CID|EUI信息;606, the distribution network platform gateway stores CID|EUI information;
607,配网平台网关执行允许接入(Permit Join);607, the distribution network platform gateway performs Permit Join;
608,配网平台网关开始扫描;608, the distribution network platform gateway starts scanning;
609,Zigbee设备逐信道发送Beacon广播请求;609, the Zigbee device sends the Beacon broadcast request channel by channel;
610,配网平台网关返回Beacon回复;610, the distribution network platform gateway returns a Beacon reply;
611,Zigbee设备向配网平台网关发送关联请求;611, the Zigbee device sends an association request to the distribution network platform gateway;
612,配网平台网关向ZIGBEE设备返回关联响应;612, the distribution network platform gateway returns an association response to the ZIGBEE device;
613,配网平台网关向配网平台云发送获取安装码请求,携带数据CID|EUI;613, the distribution network platform gateway sends a request for obtaining the installation code to the distribution network platform cloud, carrying the data CID|EUI;
6131,配网平台云通过CID获取对应厂商的设备云平台;6131, the distribution network platform cloud obtains the equipment cloud platform of the corresponding manufacturer through the CID;
6132,向Zigbee设备的设备平台云发送获取安装码请求;6132: Send a request for obtaining the installation code to the device platform cloud of the Zigbee device;
6133,设备平台云根据EUI查询Install Code,并产生第一随机数R1;6133, the device platform cloud queries the Install Code according to the EUI, and generates the first random number R1;
6134,设备平台云返回响应给配网平台云,携带数据Install Code和R1;6134, the device platform cloud returns a response to the distribution network platform cloud, carrying the data Install Code and R1;
614,配网平台云返回响应给配网平台网关,携带数据Install Code和R1;614, the distribution network platform cloud returns a response to the distribution network platform gateway, carrying the data Install Code and R1;
615,配网平台网关拿到Install Code后,根据Install Code生成TCLK;615. After the distribution network platform gateway gets the Install Code, it generates TCLK according to the Install Code;
例如,TCLK=AES-MMO(Install Code);For example, TCLK=AES-MMO(Install Code);
616,Zigbee设备根据安装码生成TCLK’。616. The Zigbee device generates TCLK' according to the installation code.
例如,TCLK’=AES-MMO(Install Code);For example, TCLK'=AES-MMO(Install Code);
617,配网平台网关与Zigbee设备建立基于TCLK和TCLK’的安全连接,配网平台网关通过TCLK’加密(Network Key)并将加密后的数据发送给Zigbee设备;617. The distribution network platform gateway establishes a secure connection based on TCLK and TCLK' with the Zigbee device, and the distribution network platform gateway encrypts (Network Key) through TCLK' and sends the encrypted data to the Zigbee device;
618,如果Zigbee设备不具备与设备平台云端一致的Install Code,则无法接入到配网平台网关建立的网络;只有Zigbee设备具备与设备平台云一致的Install Code,Zigbee设备才能够得到正确的Network Key;618. If the Zigbee device does not have the Install Code consistent with the device platform cloud, it cannot access the network established by the distribution network platform gateway; only the Zigbee device has the Install Code consistent with the device platform cloud, the Zigbee device can get the correct Network Key;
619,Zigbee设备发送设备声明广播。619, the Zigbee device sends a device announcement broadcast.
设备声明(Device announce)广播用于表示Zigbee设备接入配网平台网关构建的Zigbee网络;Device announcement (Device announce) broadcast is used to indicate that Zigbee devices are connected to the Zigbee network constructed by the distribution network platform gateway;
620,配网平台网关获取到Zigbee设备自定义的簇(Cluster)信息,该Cluster的访问类型为写后返回(W*R),配网平台网关向Zigbee设备自定义的Cluster发送写R1的请求;620, the distribution network platform gateway obtains the customized cluster information of the Zigbee device, and the access type of the cluster is write-return (W*R), and the distribution network platform gateway sends a request to write R1 to the customized cluster of the Zigbee device ;
621,Zigbee设备的自定义Cluster收到写R1的请求后,生成Auth1=AES-MMO(Kc|R1),并生成随机数R2,将Auth1|R2存储指自定义Cluster中;621. After receiving the request to write R1, the custom Cluster of the Zigbee device generates Auth1=AES-MMO(Kc|R1), generates a random number R2, and stores Auth1|R2 in the custom Cluster;
622,Zigbee设备返回Auth1|R2给配网平台网关;622, the Zigbee device returns Auth1|R2 to the distribution network platform gateway;
623,配网平台网关向配网平台云发送认证请求,携带CID|Auth1|EUI|R2数据;623, the distribution network platform gateway sends an authentication request to the distribution network platform cloud, carrying the CID|Auth1|EUI|R2 data;
6231,配网平台云通过CID获取对应厂商的设备云平台;6231, the distribution network platform cloud obtains the equipment cloud platform of the corresponding manufacturer through the CID;
6232,配网平台云向设备平台云发送认证请求,携带数据Auth1|EUI|R2;6232, the distribution network platform cloud sends an authentication request to the device platform cloud, carrying the data Auth1|EUI|R2;
6233,设备平台云根据EUI查找Zigbee设备的Kc,生成Auth1’=AES-MMO(Kc|R1)。6233, the device platform cloud searches for the Kc of the Zigbee device according to the EUI, and generates Auth1'=AES-MMO(Kc|R1).
如果Auth1’=Auth1表示认证成功,并计算Auth2=AES-MMO(Kc|R2),不相等,则认证失败Auth2=非法值;If Auth1'=Auth1 indicates that the authentication is successful, and calculate Auth2=AES-MMO(Kc|R2), if it is not equal, then the authentication fails Auth2=illegal value;
6234,设备平台云向配网平台云返回认证结果和Auth2;6234, the device platform cloud returns the authentication result and Auth2 to the distribution network platform cloud;
624,配网平台云向配网平台网关返回认证结果和Auth2;624, the distribution network platform cloud returns the authentication result and Auth2 to the distribution network platform gateway;
625,配网平台网关确定云端认证设备失败,将Zigbee设备添加设备黑名单,并将Zigbee设备移除网络;云认证设备成功,写Auth2到厂商自定义Cluster2,类型例如为R*W;625, the network distribution platform gateway determines that the cloud authentication device fails, adds the Zigbee device to the device blacklist, and removes the Zigbee device from the network; the cloud authentication device succeeds, write Auth2 to the manufacturer-defined Cluster2, and the type is R*W for example;
626,Zigbee设备生成Auth2'=AES-MMO(Kc|R2),如果Auth2'=Auth2认证成功,否则失败;626, the Zigbee device generates Auth2'=AES-MMO(Kc|R2), if Auth2'=Auth2 authentication succeeds, otherwise fails;
627,Zigbee设备返回认证结果;627, the Zigbee device returns the authentication result;
628,设备认证云端失败,配网平台网关将Zigbee设备添加设备黑名单,并将Zigbee设备移除网络。628, the device authentication cloud fails, the network distribution platform gateway adds the Zigbee device to the device blacklist and removes the Zigbee device from the network.
629,设备认证云端成功,则继续执行下面流程;629, if the device authentication cloud is successful, then continue to perform the following process;
630,更新TCLK,建立正常连接。630, update TCLK, and establish a normal connection.
可选的,更新的TCLK用于加密APS的数据传输。Optionally, the updated TCLK is used to encrypt the data transmission of the APS.
图6对应的实施例中,Zigbee设备的安装码是从设备云平台获取的,在图7的实施 例中,Zigbee设备的安装码是从Zigbee设备获取的,获取方式具体可以参考图5所示实施例的详细描述。In the embodiment corresponding to FIG. 6 , the installation code of the Zigbee device is obtained from the device cloud platform. In the embodiment of FIG. 7 , the installation code of the Zigbee device is obtained from the Zigbee device. For the specific acquisition method, please refer to FIG. 5 Detailed description of examples.
图7示出了本申请一个示例性实施例提供的接入认证方法的流程图。该方法可以应用于如图1示出的Zigbee设备跨平台接入认证系统中。在图6的基础上,该方法的如下步骤进行了调整:FIG. 7 shows a flowchart of an access authentication method provided by an exemplary embodiment of the present application. The method can be applied to the Zigbee device cross-platform access authentication system as shown in FIG. 1 . On the basis of Figure 6, the following steps of the method are adjusted:
703,Zigbee设备的设备信息作为示例,可以包括如下信息:703. As an example, the device information of the Zigbee device may include the following information:
协议字段,用于指示设备协议类型;Protocol field, used to indicate the device protocol type;
MAC字段,例如可以为Zigbee设备的EUI信息;The MAC field, for example, can be the EUI information of the Zigbee device;
CATID,字段用于指示Zigbee设备的厂商标识,例如CID;CATID, the field is used to indicate the manufacturer identification of the Zigbee device, such as CID;
安装码。installation code.
在该实施例中,该安装码可以是Zigbee设备的PIN码。In this embodiment, the installation code may be the PIN code of the Zigbee device.
705,控制设备将CID|EUI|Install Code发送给配网平台网关。705, the control device sends the CID|EUI|Install Code to the distribution network platform gateway.
713,配网平台网关向配网平台云发送R1请求,携带数据CID|EUI。713 , the distribution network platform gateway sends an R1 request to the distribution network platform cloud, carrying the data CID|EUI.
715,设备平台云建立EUI和R1的对应关系。715 , the device platform cloud establishes a corresponding relationship between the EUI and the R1.
可以理解的是,图7中的其他步骤参见上述实施例,在此不进行赘述。It can be understood that, other steps in FIG. 7 refer to the above-mentioned embodiments, and are not repeated here.
图7对应的实施例中,Zigbee设备获取R1是在Zigbee设备和配网平台网关建立基于TCLK的安全连接之前,在图8的实施例中,Zigbee设备获取R1在Zigbee设备和配网平台网关建立基于TCLK的安全连接之后。图8中的具体步骤的实现参考图7中的相关步骤,这里不再赘述。In the embodiment corresponding to FIG. 7 , the Zigbee device obtains R1 before the Zigbee device and the distribution network platform gateway establish a TCLK-based secure connection. In the embodiment of FIG. 8 , the Zigbee device obtains R1 before the Zigbee device and the distribution network platform gateway establish After TCLK based secure connection. For the implementation of the specific steps in FIG. 8 , reference is made to the relevant steps in FIG. 7 , which will not be repeated here.
图7对应的实施例中,第一接入认证在第二接入认证之前,在图9的实施例中,第一接入认证在第二接入认证之之后,即首先由设备认证云端,在由云端认证设备。In the embodiment corresponding to FIG. 7 , the first access authentication is before the second access authentication. In the embodiment of FIG. 9 , the first access authentication is after the second access authentication, that is, the device authenticates the cloud first. The device is authenticated by the cloud.
921,配网平台网关获取Zigbee设备自定义的簇(Cluster)信息,该Cluster的访问类型为写后返回(W*R),配网平台网关向Zigbee设备自定义的Cluster1发送写R1的请求;921, the distribution network platform gateway obtains the customized cluster (Cluster) information of the Zigbee device, the access type of the Cluster is write-return (W*R), and the distribution network platform gateway sends a request to write R1 to the customized Cluster1 of the Zigbee device;
922,Zigbee设备的自定义Cluster1收到写R1的请求后,生成Auth1=AES-MMO(Kc|R1),并生成随机数R2,将Auth1|R2存储指自定义Cluster中;922. After receiving the request to write R1, the custom Cluster1 of the Zigbee device generates Auth1=AES-MMO(Kc|R1), generates a random number R2, and stores Auth1|R2 in the custom Cluster;
923,Zigbee设备返回Auth1|R2给配网平台网关;923, the Zigbee device returns Auth1|R2 to the distribution network platform gateway;
924,配网平台网关向配网平台云发送认证请求,携带CID|EUI|R2数据;924, the distribution network platform gateway sends an authentication request to the distribution network platform cloud, carrying the CID|EUI|R2 data;
9241,配网平台云通过CID获取对应厂商的设备云平台;9241, the distribution network platform cloud obtains the equipment cloud platform of the corresponding manufacturer through the CID;
9242,配网平台云向设备平台云发送认证请求,携带数据EUI|R2;9242, the distribution network platform cloud sends an authentication request to the device platform cloud, carrying the data EUI|R2;
9243,设备平台云根据EUI获取设备的Kc,然后根据Kc和R2,生成Auth2,例如,Auth2=AES-MMO(Kc|R2);9243, the device platform cloud obtains the Kc of the device according to the EUI, and then generates Auth2 according to Kc and R2, for example, Auth2=AES-MMO(Kc|R2);
9244,设备平台云向配网平台云返回Auth2;9244, the device platform cloud returns Auth2 to the distribution network platform cloud;
925,配网平台云向配网平台网关返回Auth2;925, the distribution network platform cloud returns Auth2 to the distribution network platform gateway;
926,配网平台网关写Auth2到厂商自定义Cluster2,类型例如为R*W;926, the distribution network platform gateway writes Auth2 to the manufacturer-defined Cluster2, for example, the type is R*W;
927,Zigbee设备生成Auth2'=AES-MMO(Kc|R2),如果Auth2'=Auth2认证成功,否则失败;927, the Zigbee device generates Auth2'=AES-MMO(Kc|R2), if Auth2'=Auth2 authentication succeeds, otherwise fails;
9271,认证失败,则主动离开Zigbee网络,可选的,还可以发送第一指示信息,用于指示离开Zigbee网络;9271, if the authentication fails, it will take the initiative to leave the Zigbee network. Optionally, the first indication information can also be sent to indicate leaving the Zigbee network;
928,配网平台网关接收到Zigbee设备的第一指示信息,将该Zigbee设备添加至设备黑名单。928, the distribution network platform gateway receives the first indication information of the Zigbee device, and adds the Zigbee device to the device blacklist.
9272,认证成功,Zigbee设备确定返回认证结果;9272, the authentication is successful, and the Zigbee device determines to return the authentication result;
929,Zigbee设备返回认证结果;929, the Zigbee device returns the authentication result;
930,设备认证云端成功,则配网平台网关向配网平台云发送认证请求,携带数据CID|EUI|Auth1;930, the device authentication cloud succeeds, the distribution network platform gateway sends an authentication request to the distribution network platform cloud, carrying the data CID|EUI|Auth1;
9301,配网平台云根据CID向对应的设备平台云。9301, the distribution network platform cloud sends to the corresponding device platform cloud according to the CID.
9302,配网平台云根据CID向对应的设备平台云发送认证请求,携带数据EUI|Auth1。9302, the distribution network platform cloud sends an authentication request to the corresponding device platform cloud according to the CID, carrying the data EUI|Auth1.
9303,设备平台云根据EUI确定设备的Kc,根据第一随机数R1和Kc生成Auth1’。9303. The device platform cloud determines the Kc of the device according to the EUI, and generates Auth1' according to the first random number R1 and Kc.
根据Auth1和Auth1’进行第一接入认证。若二者相等,则确定认证成功,否则,确定认证失败。The first access authentication is performed according to Auth1 and Auth1'. If the two are equal, it is determined that the authentication is successful, otherwise, it is determined that the authentication fails.
9304,设备平台云向配网平台云第一接入认证的认证结果。9304, the authentication result of the first access authentication from the device platform cloud to the distribution network platform cloud.
931,配网平台云向配网平台网关返回第一接入认证的认证结果。931. The distribution network platform cloud returns the authentication result of the first access authentication to the distribution network platform gateway.
932,云认证设备失败,则将Zigbee设备添加至设备黑名单,并将该Zigbee设备移出网络。932, the cloud authentication device fails, then the Zigbee device is added to the device blacklist, and the Zigbee device is removed from the network.
932,云认证设备,更新TCLK,建立正常连接。932, the cloud authenticates the device, updates the TCLK, and establishes a normal connection.
可选的,更新的TCLK用于加密APS的数据传输。Optionally, the updated TCLK is used to encrypt the data transmission of the APS.
需要说明的是,上述方法实施例可以分别单独实施,也可以组合实施,本申请对此不进行限制。It should be noted that, the foregoing method embodiments may be implemented separately, or may be implemented in combination, which is not limited in this application.
图11示出了本申请一个示例性实施例提供的接入认证装置的结构框图,该装置可以实现成为Zigbee设备,或者,实现成为Zigbee设备中的一部分,该装置1000包括:FIG. 11 shows a structural block diagram of an access authentication apparatus provided by an exemplary embodiment of the present application. The apparatus can be implemented as a Zigbee device, or be implemented as a part of a Zigbee device. The apparatus 1000 includes:
处理单元1010,用于生成第二随机数;a processing unit 1010, configured to generate a second random number;
根据所述第二随机数和许可密钥生成第二设备端密钥,所述许可密钥是存放于所述Zigbee设备以及所述Zigbee设备的设备平台云中的密钥;以及generating a second device-side key according to the second random number and a license key, the license key being a key stored in the Zigbee device and the device platform cloud of the Zigbee device; and
根据所述第二设备端密钥进行所述Zigbee设备的第二接入认证。The second access authentication of the Zigbee device is performed according to the second device-side key.
在一个可选的实施例中,所述装置1000还包括:In an optional embodiment, the apparatus 1000 further includes:
通信单元,用于接收配网平台网关发送的第一随机数,其中,所述配网平台网关支持构建Zigbee网络;a communication unit, configured to receive the first random number sent by the distribution network platform gateway, wherein the distribution network platform gateway supports the construction of a Zigbee network;
所述处理单元1010还用于:根据所述第一随机数和所述许可密钥生成第一设备端密钥,所述第一设备端密钥用于所述Zigbee设备的第一接入认证。The processing unit 1010 is further configured to: generate a first device-side key according to the first random number and the license key, where the first device-side key is used for first access authentication of the Zigbee device .
在一个可选的实施例中,所述装置1000还包括:In an optional embodiment, the apparatus 1000 further includes:
通信单元,用于接收所述配网平台网关向所述Zigbee设备的自定义簇发送的随机数写入请求,所述随机数写入请求携带所述第一随机数。A communication unit, configured to receive a random number write request sent by the network distribution platform gateway to the custom cluster of the Zigbee device, where the random number write request carries the first random number.
在一个可选的实施例中,所述处理单元1010还用于:In an optional embodiment, the processing unit 1010 is further configured to:
采用第一密钥生成算法,对所述第一随机数和所述许可密钥进行处理,生成所述第一设备端密钥。Using a first key generation algorithm, the first random number and the license key are processed to generate the first device-side key.
在一个可选的实施例中,所述第一密钥生成算法包括:AES-MMO哈希算法。In an optional embodiment, the first key generation algorithm includes: an AES-MMO hash algorithm.
在一个可选的实施例中,所述装置1000还包括:In an optional embodiment, the apparatus 1000 further includes:
通信单元,用于通过所述配网平台网关和配网平台云向所述设备平台云发送所述第二随机数和所述第一设备端密钥,其中,所述配网平台云为所述配网平台网关对应的云端服务器,所述第二随机数用于所述设备平台云生成第二云端密钥,所述第二云端密钥用于所述Zigbee设备的第二接入认证。A communication unit, configured to send the second random number and the first device-side key to the device platform cloud through the distribution network platform gateway and the distribution network platform cloud, wherein the distribution network platform cloud is the The cloud server corresponding to the distribution network platform gateway, the second random number is used for the device platform cloud to generate a second cloud key, and the second cloud key is used for the second access authentication of the Zigbee device.
在一个可选的实施例中,所述装置1000还包括:In an optional embodiment, the apparatus 1000 further includes:
通信单元,用于接收所述配网平台网关在所述第一接入认证的认证结果为认证成功的情况下发送的所述第一接入认证的认证结果和所述第二云端密钥,其中,所述第一接入认证的认证结果是所述设备云平台根据所述第一设备端密钥和第一云端密钥确定的,所述第一云端密钥是所述设备云平台根据所述第一随机数和所述许可密钥生成的。a communication unit, configured to receive the authentication result of the first access authentication and the second cloud key sent by the network distribution platform gateway in the case that the authentication result of the first access authentication is authentication successful, The authentication result of the first access authentication is determined by the device cloud platform according to the first device-side key and the first cloud key, and the first cloud key is determined by the device cloud platform according to the The first random number and the license key are generated.
在一个可选的实施例中,所述处理单元1010还用于:In an optional embodiment, the processing unit 1010 is further configured to:
根据所述第二设备端密钥和所述第二云端密钥确定所述第二接入认证的认证结果。The authentication result of the second access authentication is determined according to the second device-side key and the second cloud key.
在一个可选的实施例中,所述装置1000还包括:In an optional embodiment, the apparatus 1000 further includes:
通信单元,用于向所述配网平台网关发送所述第二接入认证的认证结果。A communication unit, configured to send the authentication result of the second access authentication to the network distribution platform gateway.
在一个可选的实施例中,所述装置1000还包括:In an optional embodiment, the apparatus 1000 further includes:
通信单元,用于通过所述配网平台网关和配网平台云向所述Zigbee设备的设备平台云发送所述第二随机数,其中,所述配网平台云为所述配网平台网关对应的云端服务器,所述第二随机数用于所述设备平台云生成第二云端密钥,所述第二云端密钥用于所述Zigbee设备的第二接入认证。A communication unit, configured to send the second random number to the device platform cloud of the Zigbee device through the distribution network platform gateway and the distribution network platform cloud, wherein the distribution network platform cloud corresponds to the distribution network platform gateway the cloud server, the second random number is used for the device platform cloud to generate a second cloud key, and the second cloud key is used for the second access authentication of the Zigbee device.
在一个可选的实施例中,所述装置1000还包括:In an optional embodiment, the apparatus 1000 further includes:
通信单元,用于接收所述配网平台网关发送的所述第二云端密钥。A communication unit, configured to receive the second cloud key sent by the distribution network platform gateway.
在一个可选的实施例中,所述装置1000还包括:In an optional embodiment, the apparatus 1000 further includes:
通信单元,用于接收所述配网平台网关向所述Zigbee设备的自定义簇发送的写入请求,所述写入请求携带所述第二云端密钥。A communication unit, configured to receive a write request sent by the distribution network platform gateway to the custom cluster of the Zigbee device, where the write request carries the second cloud key.
在一个可选的实施例中,所述处理单元1010还用于:In an optional embodiment, the processing unit 1010 is further configured to:
根据所述第二设备端密钥和所述第二云端密钥确定所述第二接入认证的认证结果。The authentication result of the second access authentication is determined according to the second device-side key and the second cloud key.
在一个可选的实施例中,所述装置1000还包括:In an optional embodiment, the apparatus 1000 further includes:
通信单元,用于向所述配网平台网关发送所述第二接入认证的认证结果。A communication unit, configured to send the authentication result of the second access authentication to the network distribution platform gateway.
在一个可选的实施例中,所述装置1000还包括:In an optional embodiment, the apparatus 1000 further includes:
通信单元,用于向在所述第二接入认证的认证结果为认证成功的情况下,向所述配网平台网关发送所述第二接入认证的认证结果。A communication unit, configured to send the authentication result of the second access authentication to the network distribution platform gateway when the authentication result of the second access authentication is authentication success.
在一个可选的实施例中,所述处理单元1010还用于:In an optional embodiment, the processing unit 1010 is further configured to:
在所述第二接入认证的认证结果为认证失败的情况下,离开所述Zigbee网络。If the authentication result of the second access authentication is authentication failure, leave the Zigbee network.
在一个可选的实施例中,所述装置1000还包括:In an optional embodiment, the apparatus 1000 further includes:
通信单元,用于向所述配网平台网关发送第一指示信息,所述第一指示信息用于指示a communication unit, configured to send first indication information to the distribution network platform gateway, where the first indication information is used to indicate
在一个可选的实施例中,所述第一设备端密钥存储于所述Zigbee设备的自定义簇中,所述第二设备端密钥存储于所述Zigbee设备的自定义簇中,所述自定义簇的访问类型为写后返回。In an optional embodiment, the first device-side key is stored in a custom cluster of the Zigbee device, and the second device-side key is stored in the custom cluster of the Zigbee device, so The access type of the described custom cluster is return after write.
在一个可选的实施例中,所述处理单元1010还用于:In an optional embodiment, the processing unit 1010 is further configured to:
采用第二密钥生成算法,对所述第二随机数和所述许可密钥进行处理,生成所述第二设备端密钥。Using a second key generation algorithm, the second random number and the license key are processed to generate the second device-side key.
在一个可选的实施例中,所述第二密钥生成算法包括:AES-MMO哈希算法。In an optional embodiment, the second key generation algorithm includes: an AES-MMO hash algorithm.
图12示出了本申请一个示例性实施例提供的接入认证装置的结构框图,该装置1100可以实现成为设备平台云,或者,实现成为设备平台云中的一部分,该装置1100包括:12 shows a structural block diagram of an access authentication apparatus provided by an exemplary embodiment of the present application. The apparatus 1100 may be implemented as a device platform cloud, or may be implemented as a part of the device platform cloud. The apparatus 1100 includes:
处理单元1110,用于根据第一随机数和许可密钥生成第一云端密钥,其中,所述设备平台云是紫蜂协议Zigbee设备所属的厂商的云端服务器,所述许可密钥是存放于所述Zigbee设备以及所述Zigbee设备的设备平台云中的密钥,所述第一随机数是所述设备平台云生成的,或者所述第一随机数是从配网平台云获取的,所述配网平台云是支持构建Zigbee网络的配网平台网关对应的云端服务器;以及The processing unit 1110 is configured to generate the first cloud key according to the first random number and the license key, wherein the device platform cloud is the cloud server of the manufacturer to which the Zigbee device of the Zigbee protocol belongs, and the license key is stored in the cloud server. The Zigbee device and the key in the device platform cloud of the Zigbee device, the first random number is generated by the device platform cloud, or the first random number is obtained from the distribution network platform cloud, so The distribution network platform cloud is a cloud server corresponding to the distribution network platform gateway that supports the construction of Zigbee networks; and
根据所述第一云端密钥进行所述Zigbee设备的第一接入认证。The first access authentication of the Zigbee device is performed according to the first cloud key.
在一个可选的实施例中,所述装置1100还包括:In an optional embodiment, the apparatus 1100 further includes:
通信单元,用于向接收所述配网平台云发送的第一接入认证请求,所述第一接入认证请求包括第二随机数和第一设备端密钥,所述第二随机数是所述Zigbee设备生成的,所述第一设备端密钥是所述Zigbee设备根据所述第一随机数和所述许可密钥生成的;A communication unit, configured to receive a first access authentication request sent by the distribution network platform cloud, where the first access authentication request includes a second random number and a first device-side key, and the second random number is Generated by the Zigbee device, and the first device-side key is generated by the Zigbee device according to the first random number and the license key;
所述处理单元1110还用于:根据所述第二随机数和所述许可密钥生成第二云端密钥,所述第二云端密钥用于所述Zigbee设备的第二接入认证。The processing unit 1110 is further configured to: generate a second cloud key according to the second random number and the license key, where the second cloud key is used for the second access authentication of the Zigbee device.
在一些可选实施例中,所述处理单元1110还用于:In some optional embodiments, the processing unit 1110 is further configured to:
在第一接入认证的认证结果为认证成功的情况下,根据所述第二随机数和所述许可密钥生成所述第二云端密钥。When the authentication result of the first access authentication is that the authentication is successful, the second cloud key is generated according to the second random number and the license key.
在一个可选的实施例中,所述装置1100还包括:In an optional embodiment, the apparatus 1100 further includes:
通信单元,用于向所述配网平台云发送所述第一接入认证的认证结果和所述第二云端密钥。A communication unit, configured to send the authentication result of the first access authentication and the second cloud key to the distribution network platform cloud.
在一个可选的实施例中,所述装置1100还包括:In an optional embodiment, the apparatus 1100 further includes:
通信单元,用于接收所述配网平台云发送的第二随机数,所述第二随机数是所述Zigbee设备生成的;a communication unit, configured to receive a second random number sent by the distribution network platform cloud, where the second random number is generated by the Zigbee device;
所述处理单元1110还用于:根据所述第二随机数和所述许可密钥生成第二云端密钥,所述第二云端密钥用于所述Zigbee设备的第二接入认证。The processing unit 1110 is further configured to: generate a second cloud key according to the second random number and the license key, where the second cloud key is used for the second access authentication of the Zigbee device.
在一个可选的实施例中,所述装置1100还包括:In an optional embodiment, the apparatus 1100 further includes:
通信单元,用于向所述配网平台云发送所述第二云端密钥。A communication unit, configured to send the second cloud key to the distribution network platform cloud.
在一个可选的实施例中,所述装置1100还包括:In an optional embodiment, the apparatus 1100 further includes:
通信单元,用于接收所述配网平台云发送的第一接入认证请求,所述第一接入认证请求包括所述第一设备端密钥。A communication unit, configured to receive a first access authentication request sent by the distribution network platform cloud, where the first access authentication request includes the first device-side key.
在一个可选的实施例中,所述装置1100还包括:In an optional embodiment, the apparatus 1100 further includes:
通信单元,用于接收配网平台云发送的第一请求,所述第一请求用于请求所述Zigbee设备的安装码和所述第一随机数,或者,所述第一请求用于请求所述第一随机数。A communication unit, configured to receive a first request sent by the distribution network platform cloud, where the first request is used to request the installation code and the first random number of the Zigbee device, or the first request is used to request all the first random number.
在一个可选的实施例中,所述装置1100还包括:In an optional embodiment, the apparatus 1100 further includes:
通信单元,用于向所述配网平台云发送所述Zigbee设备的安装码和所述第一随机数,或者,向所述配网平台云发送所述第一随机数。A communication unit, configured to send the installation code of the Zigbee device and the first random number to the distribution network platform cloud, or send the first random number to the distribution network platform cloud.
在一个可选的实施例中,所述第一请求还包括:所述Zigbee设备的设备地址标识和所述Zigbee设备的厂商标识。In an optional embodiment, the first request further includes: a device address identifier of the Zigbee device and a manufacturer identifier of the Zigbee device.
图13示出了本申请一个示例性实施例提供的接入认证装置的结构框图,该装置1200可以实现成为配网平台网关,或者,实现成为配网平台网关中的一部分,该装置1200包括:13 shows a structural block diagram of an access authentication apparatus provided by an exemplary embodiment of the present application. The apparatus 1200 may be implemented as a distribution network platform gateway, or may be implemented as a part of the distribution network platform gateway. The apparatus 1200 includes:
通信单元1200,用于接收紫峰协议Zigbee设备发送的第二随机数和第一设备端密钥,其中,所述配网平台网关支持构建Zigbee网络,所述第一设备端密钥是所述Zigbee设备根据第一随机数和所述Zigbee设备的许可密钥生成的,所述第二随机数用于所述Zigbee设备的设备平台云确定第二云端密钥,所述第二云端密钥用于所述Zigbee设备的第二接入认证;以及The communication unit 1200 is configured to receive the second random number and the first device-side key sent by the Zigbee device of the Zifeng protocol, wherein the network distribution platform gateway supports the construction of a Zigbee network, and the first device-side key is the Zigbee network The device is generated according to the first random number and the license key of the Zigbee device, the second random number is used for the device platform cloud of the Zigbee device to determine the second cloud key, and the second cloud key is used for a second access authentication for the Zigbee device; and
向配网平台云发送第一接入认证请求,所述第一接入认证请求包括所述第二随机数,或者所述第一接入认证请求包括所述第二随机数和所述第一设备端密钥,所述第一设备端密钥用于所述设备平台云对所述Zigbee设备进行第一接入认证,所述配网平台云是所述配网平台网关对应的云端服务器。Send a first access authentication request to the distribution network platform cloud, where the first access authentication request includes the second random number, or the first access authentication request includes the second random number and the first A device-side key, where the first device-side key is used for the device platform cloud to perform first access authentication for the Zigbee device, and the distribution network platform cloud is a cloud server corresponding to the distribution network platform gateway.
在一个可选的实施例中,所述通信单元1200还用于:In an optional embodiment, the communication unit 1200 is further configured to:
接收所述配网平台云发送的所述第二云端密钥,或所述第一接入认证的认证结果和所述第二云端密钥,其中,所述第一接入认证的认证结果是所述设备云平台根据所述第一设备端密钥和第一云端密钥确定的,所述第一云端密钥是所述设备云平台根据所述第一随机数和所述许可密钥生成的。Receive the second cloud key sent by the distribution network platform cloud, or the authentication result of the first access authentication and the second cloud key, where the authentication result of the first access authentication is The device cloud platform is determined according to the first device end key and the first cloud key, and the first cloud key is generated by the device cloud platform according to the first random number and the license key. of.
在一个可选的实施例中,所述通信单元1200还用于:向所述Zigbee设备的自定义簇发送写入请求,所述写入请求携带所述第二云端密钥。In an optional embodiment, the communication unit 1200 is further configured to: send a write request to the custom cluster of the Zigbee device, where the write request carries the second cloud key.
在一个可选的实施例中,所述通信单元1200还用于:在所述第一接入认证的认证结果为认证成功的情况下,向所述Zigbee设备的自定义簇发送所述写入请求。In an optional embodiment, the communication unit 1200 is further configured to: send the write to the custom cluster of the Zigbee device when the authentication result of the first access authentication is successful authentication ask.
在一个可选的实施例中,所述装置还包括:In an optional embodiment, the apparatus further includes:
处理单元,用于在所述第一认证结果为认证失败的情况下,将所述Zigbee设备添加至设备黑名单,并将所述Zigbee设备移出所述Zigbee网络。A processing unit, configured to add the Zigbee device to a device blacklist and remove the Zigbee device from the Zigbee network when the first authentication result is an authentication failure.
在一个可选的实施例中,所述通信单元1200还用于:在所述第二接入认证的认证结果为认证失败的情况下,接收所述Zigbee设备发送的第一指示信息,所述第一指示信息 用于指示所述Zigbee设备离开所述Zigbee网络;In an optional embodiment, the communication unit 1200 is further configured to: in the case that the authentication result of the second access authentication is authentication failure, receive the first indication information sent by the Zigbee device, the The first indication information is used to instruct the Zigbee device to leave the Zigbee network;
在一个可选的实施例中,所述装置还包括:In an optional embodiment, the apparatus further includes:
处理单元,用于将所述Zigbee设备添加至设备黑名单。The processing unit is configured to add the Zigbee device to the device blacklist.
在一个可选的实施例中,所述通信单元1200还用于:向所述配网平台云发送的第一请求,所述第一请求用于请求所述Zigbee设备的安装码和所述第一随机数,或者,所述第一请求用于请求所述第一随机数。In an optional embodiment, the communication unit 1200 is further configured to: send a first request to the distribution network platform cloud, where the first request is used to request the installation code of the Zigbee device and the first request A random number, or the first request is for requesting the first random number.
在一个可选的实施例中,所述通信单元1200还用于:接收所述配网平台云发送的所述Zigbee设备的安装码和所述第一随机数,或者,In an optional embodiment, the communication unit 1200 is further configured to: receive the installation code and the first random number of the Zigbee device sent by the distribution network platform cloud, or,
接收所述配网平台云发送的所述第一随机数。Receive the first random number sent by the distribution network platform cloud.
在一个可选的实施例中,所述第一请求还包括:所述Zigbee设备的设备地址标识和所述Zigbee设备的厂商标识。In an optional embodiment, the first request further includes: a device address identifier of the Zigbee device and a manufacturer identifier of the Zigbee device.
在一个可选的实施例中,所述第一接入认证请求还包括所述Zigbee设备的设备地址标识和所述Zigbee设备的厂商标识。In an optional embodiment, the first access authentication request further includes a device address identifier of the Zigbee device and a manufacturer identifier of the Zigbee device.
图14示出了本申请一个示例性实施例提供的接入认证装置的结构框图,该装置1300可以实现成为控制设备,或者,实现成为控制设备中的一部分,该装置1300包括:FIG. 14 shows a structural block diagram of an access authentication apparatus provided by an exemplary embodiment of the present application. The apparatus 1300 may be implemented as a control device, or may be implemented as a part of the control device. The apparatus 1300 includes:
通信单元1310,用于获取紫峰协议Zigbee设备的设备信息,其中,所述Zigbee设备的设备信息包括所述Zigbee设备的设备协议类型,所述Zigbee设备的设备地址标识和所述Zigbee设备的厂商标识;The communication unit 1310 is used to obtain the device information of the Zigbee device of the Zigbee protocol, wherein the device information of the Zigbee device includes the device protocol type of the Zigbee device, the device address identifier of the Zigbee device and the manufacturer identifier of the Zigbee device. ;
处理单元1320,用于根据所述Zigbee设备所属的设备协议类型确定配网平台网关,其中,所述配网平台网关支持构建Zigbee网络;a processing unit 1320, configured to determine a distribution network platform gateway according to the device protocol type to which the Zigbee device belongs, wherein the distribution network platform gateway supports the construction of a Zigbee network;
所述通信单元1310还用于:向所述配网平台网关发送所述Zigbee设备的设备信息。The communication unit 1310 is further configured to: send the device information of the Zigbee device to the distribution network platform gateway.
在一个可选的实施例中,所述Zigbee设备的设备地址标识包括所述Zigbee设备的媒体接入控制MAC地址。In an optional embodiment, the device address identifier of the Zigbee device includes a media access control MAC address of the Zigbee device.
在一个可选的实施例中,所述Zigbee设备的设备信息还包括:所述Zigbee设备的安装码。In an optional embodiment, the device information of the Zigbee device further includes: an installation code of the Zigbee device.
在一个可选的实施例中,所述Zigbee设备的安装码为所述Zigbee设备的PIN码。In an optional embodiment, the installation code of the Zigbee device is the PIN code of the Zigbee device.
图15示出了本申请一个示例性实施例提供的计算机设备(如Zigbee设备、配网平台网关或设备平台云)的结构示意图,该计算机设备包括:处理器101、接收器102、发射器103、存储器104和总线105。FIG. 15 shows a schematic structural diagram of a computer device (such as a Zigbee device, a distribution network platform gateway, or a device platform cloud) provided by an exemplary embodiment of the present application. The computer device includes: a processor 101 , a receiver 102 , and a transmitter 103 , memory 104 and bus 105 .
处理器101包括一个或者一个以上处理核心,处理器101通过运行软件程序以及模块,从而执行各种功能应用以及信息处理。The processor 101 includes one or more processing cores, and the processor 101 executes various functional applications and information processing by running software programs and modules.
接收器102和发射器103可以实现为一个通信组件,该通信组件可以是一块通信芯片。The receiver 102 and the transmitter 103 may be implemented as a communication component, which may be a communication chip.
存储器104通过总线105与处理器101相连。The memory 104 is connected to the processor 101 through the bus 105 .
存储器104可用于存储至少一个指令,处理器101用于执行该至少一个指令,以实现上述方法实施例中的各个步骤。The memory 104 may be configured to store at least one instruction, and the processor 101 may be configured to execute the at least one instruction, so as to implement various steps in the foregoing method embodiments.
此外,存储器104可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,易失性或非易失性存储设备包括但不限于:磁盘或光盘,电可擦除可编程只读存储器(Electrically-Erasable Programmable Read Only Memory,EEPROM),可擦除可编程只读存储器(Erasable Programmable Read Only Memory,EPROM),静态随时存取存储器(Static Random Access Memory,SRAM),只读存储器(Read-Only Memory,ROM),磁存储器,快闪存储器,可编程只读存储器(Programmable Read-Only Memory,PROM)。Additionally, memory 104 may be implemented by any type or combination of volatile or non-volatile storage devices including, but not limited to, magnetic or optical disks, electrically erasable programmable Read Only Memory (Electrically-Erasable Programmable Read Only Memory, EEPROM), Erasable Programmable Read Only Memory (EPROM), Static Random Access Memory (SRAM), Read Only Memory (Read-Only Memory, ROM), magnetic memory, flash memory, programmable read-only memory (Programmable Read-Only Memory, PROM).
在示例性实施例中,所述计算机设备包括处理器、存储器和收发器(该收发器可以包括接收器和发射器,接收器用于接收信息,发射器用于发送信息)。In an exemplary embodiment, the computer device includes a processor, a memory, and a transceiver (the transceiver may include a receiver for receiving information and a transmitter for transmitting information) and a transmitter.
在一种可能的实现方式中,当计算机设备实现为Zigbee设备时,In a possible implementation, when the computer device is implemented as a Zigbee device,
所述处理器,用于生成第二随机数;根据所述第二随机数和许可密钥生成第二设备 端密钥,所述许可密钥是存放于所述Zigbee设备以及所述Zigbee设备的设备平台云中的密钥;以及根据所述第二设备端密钥进行所述Zigbee设备的第二接入认证。The processor is used to generate a second random number; a second device-side key is generated according to the second random number and a license key, and the license key is stored in the Zigbee device and the Zigbee device. The key in the device platform cloud; and the second access authentication of the Zigbee device is performed according to the second device-side key.
其中,当计算机设备实现为Zigbee设备时,本申请实施例涉及的计算机设备中的处理器和收发器,可以执行上述图2至图10任一所示的方法中,由Zigbee设备执行的步骤,此处不再赘述。Wherein, when the computer device is implemented as a Zigbee device, the processor and transceiver in the computer device involved in the embodiments of the present application may perform the steps performed by the Zigbee device in any of the methods shown in the above-mentioned FIG. 2 to FIG. 10 , It will not be repeated here.
在一种可能的实现方式中,当计算机设备实现为配网平台网关时,In a possible implementation, when the computer device is implemented as a distribution network platform gateway,
所述收发器,用于接收紫峰协议Zigbee设备发送的第二随机数和第一设备端密钥;以及向配网平台云发送第一接入认证请求,所述第一接入认证请求包括所述第二随机数,或者所述第一接入认证请求包括所述第二随机数和所述第一设备端密钥。The transceiver is configured to receive the second random number and the first device-side key sent by the Zigbee device of the Zifeng protocol; and send the first access authentication request to the distribution network platform cloud, where the first access authentication request includes all the second random number, or the first access authentication request includes the second random number and the first device-side key.
其中,当计算机设备实现为配网平台网关时,本申请实施例涉及的计算机设备中的处理器和收发器,可以执行上述图2至图10任一所示的方法中,由配网平台网关执行的步骤,此处不再赘述。Wherein, when the computer device is implemented as a distribution network platform gateway, the processor and transceiver in the computer device involved in the embodiments of the present application may perform any of the methods shown in the above-mentioned FIG. 2 to FIG. 10 , and the distribution network platform gateway The steps to be performed are not repeated here.
在一种可能的实现方式中,当计算机设备实现为设备平台云时,In one possible implementation, when the computer device is implemented as a device platform cloud,
所述处理器,用于根据第一随机数和许可密钥生成第一云端密钥;以及根据所述第一云端密钥进行所述Zigbee设备的第一接入认证。The processor is configured to generate a first cloud key according to the first random number and the license key; and perform first access authentication of the Zigbee device according to the first cloud key.
其中,当计算机设备实现为设备平台云时,本申请实施例涉及的计算机设备中的处理器和收发器,可以执行上述图2至图10任一所示的方法中,由设备平台云执行的步骤,此处不再赘述。Wherein, when the computer device is implemented as a device platform cloud, the processors and transceivers in the computer device involved in the embodiments of the present application may perform any of the methods shown in the foregoing FIG. 2 to FIG. 10 . The steps are not repeated here.
在一种可能的实现方式中,当计算机设备实现为控制设备时,In a possible implementation, when the computer device is implemented as a control device,
所述收发器用于获取紫峰协议Zigbee设备的设备信息,其中,所述Zigbee设备的设备信息包括所述Zigbee设备的设备协议类型,所述Zigbee设备的设备地址标识和所述Zigbee设备的厂商标识;The transceiver is used to obtain the device information of the Zigbee device of Zigbee protocol, wherein the device information of the Zigbee device includes the device protocol type of the Zigbee device, the device address identifier of the Zigbee device and the manufacturer identifier of the Zigbee device;
所述处理器,用于根据所述Zigbee设备所属的设备协议类型确定配网平台网关,其中,所述配网平台网关支持构建Zigbee网络;The processor is configured to determine a distribution network platform gateway according to the device protocol type to which the Zigbee device belongs, wherein the distribution network platform gateway supports building a Zigbee network;
所述收发器还用于向所述配网平台网关发送所述Zigbee设备的设备信息。The transceiver is further configured to send the device information of the Zigbee device to the distribution network platform gateway.
其中,当计算机设备实现为控制设备时,本申请实施例涉及的计算机设备中的处理器和收发器,可以执行上述图2至图10任一所示的方法中,由控制设备或终端设备执行的步骤,此处不再赘述。Wherein, when the computer device is implemented as a control device, the processor and transceiver in the computer device involved in the embodiments of the present application may execute any of the methods shown in FIG. 2 to FIG. 10 above, and be executed by the control device or the terminal device. steps, which are not repeated here.
在示例性实施例中,还提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机程序,所述计算机程序由处理器加载并执行以实现上述各个方法实施例提供的由计算机设备执行的接入认证方法。In an exemplary embodiment, a computer-readable storage medium is also provided, and a computer program is stored in the computer-readable storage medium, and the computer program is loaded and executed by a processor to implement the methods provided by the foregoing method embodiments. An access authentication method performed by a computer device.
在示例性实施例中,还提供了一种计算机程序产品,该计算机程序产品在计算机设备的处理器上运行时,使得网络设备执行上述方面所述的接入认证方法。In an exemplary embodiment, a computer program product is also provided, which, when running on the processor of the computer device, causes the network device to execute the access authentication method described in the above aspects.
在示例性实施例中,还提供了一种芯片,所述芯片包括可编程逻辑电路和/或程序指令,当所述芯片在计算机设备上运行时,用于实现上述方面所述的接入认证方法。In an exemplary embodiment, a chip is also provided, the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a computer device, is used to implement the access authentication described in the above aspects method.
以上所述仅为本申请的可选实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above descriptions are only optional embodiments of the present application, and are not intended to limit the present application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present application shall be included in the protection of the present application. within the range.
应理解,本申请实施例的处理器可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法实施例的各步骤可以通过处理器中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器可以是通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存 储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器,处理器读取存储器中的信息,结合其硬件完成上述方法的步骤。It should be understood that the processor in this embodiment of the present application may be an integrated circuit chip, which has a signal processing capability. In the implementation process, each step of the above method embodiments may be completed by a hardware integrated logic circuit in a processor or an instruction in the form of software. The above-mentioned processor can be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), an off-the-shelf programmable gate array (Field Programmable Gate Array, FPGA) or other available Programming logic devices, discrete gate or transistor logic devices, discrete hardware components. The methods, steps, and logic block diagrams disclosed in the embodiments of this application can be implemented or executed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the methods disclosed in conjunction with the embodiments of the present application may be directly embodied as executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software modules can be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other storage media mature in the art. The storage medium is located in the memory, and the processor reads the information in the memory, and completes the steps of the above method in combination with its hardware.
可以理解,本申请实施例中的存储器可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(Read-Only Memory,ROM)、可编程只读存储器(Programmable ROM,PROM)、可擦除可编程只读存储器(Erasable PROM,EPROM)、电可擦除可编程只读存储器(Electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(Random Access Memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(Static RAM,SRAM)、动态随机存取存储器(Dynamic RAM,DRAM)、同步动态随机存取存储器(Synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data Rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(Enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(Synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(Direct Rambus RAM,DR RAM)。应注意,本文描述的系统和方法的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory in this embodiment of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory. Wherein, the non-volatile memory may be a read-only memory (Read-Only Memory, ROM), a programmable read-only memory (Programmable ROM, PROM), an erasable programmable read-only memory (Erasable PROM, EPROM), an electrically programmable read-only memory (Erasable PROM, EPROM). Erase programmable read-only memory (Electrically EPROM, EEPROM) or flash memory. Volatile memory may be Random Access Memory (RAM), which acts as an external cache. By way of illustration and not limitation, many forms of RAM are available, such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (Double Data Rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (Synchlink DRAM, SLDRAM) ) and direct memory bus random access memory (Direct Rambus RAM, DR RAM). It should be noted that the memory of the systems and methods described herein is intended to include, but not be limited to, these and any other suitable types of memory.
应理解,上述存储器为示例性但不是限制性说明,例如,本申请实施例中的存储器还可以是静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(dynamic RAM,DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data rate SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synch link DRAM,SLDRAM)以及直接内存总线随机存取存储器(Direct Rambus RAM,DR RAM)等等。也就是说,本申请实施例中的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It should be understood that the above memory is an example but not a limitative description, for example, the memory in the embodiment of the present application may also be a static random access memory (static RAM, SRAM), a dynamic random access memory (dynamic RAM, DRAM), Synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection Dynamic random access memory (synch link DRAM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DR RAM) and so on. That is, the memory in the embodiments of the present application is intended to include but not limited to these and any other suitable types of memory.
本申请实施例还提供了一种计算机可读存储介质,用于存储计算机程序。Embodiments of the present application further provide a computer-readable storage medium for storing a computer program.
可选的,该计算机可读存储介质可应用于本申请实施例中的网络设备,并且该计算机程序使得计算机执行本申请实施例的各个方法中由网络设备实现的相应流程,为了简洁,在此不再赘述。Optionally, the computer-readable storage medium can be applied to the network device in the embodiments of the present application, and the computer program enables the computer to execute the corresponding processes implemented by the network device in each method of the embodiments of the present application. For brevity, here No longer.
可选地,该计算机可读存储介质可应用于本申请实施例中的移动终端/终端设备,并且该计算机程序使得计算机执行本申请实施例的各个方法中由移动终端/终端设备实现的相应流程,为了简洁,在此不再赘述。Optionally, the computer-readable storage medium can be applied to the mobile terminal/terminal device in the embodiments of the present application, and the computer program enables the computer to execute the corresponding processes implemented by the mobile terminal/terminal device in each method of the embodiments of the present application. , and are not repeated here for brevity.
本申请实施例还提供了一种计算机程序产品,包括计算机程序指令。Embodiments of the present application also provide a computer program product, including computer program instructions.
可选的,该计算机程序产品可应用于本申请实施例中的网络设备,并且该计算机程序指令使得计算机执行本申请实施例的各个方法中由网络设备实现的相应流程,为了简洁,在此不再赘述。Optionally, the computer program product can be applied to the network device in the embodiments of the present application, and the computer program instructions cause the computer to execute the corresponding processes implemented by the network device in each method of the embodiments of the present application. Repeat.
可选地,该计算机程序产品可应用于本申请实施例中的移动终端/终端设备,并且该计算机程序指令使得计算机执行本申请实施例的各个方法中由移动终端/终端设备实现的相应流程,为了简洁,在此不再赘述。Optionally, the computer program product can be applied to the mobile terminal/terminal device in the embodiments of the present application, and the computer program instructions cause the computer to execute the corresponding processes implemented by the mobile terminal/terminal device in each method of the embodiments of the present application, For brevity, details are not repeated here.
本申请实施例还提供了一种计算机程序。The embodiments of the present application also provide a computer program.
可选的,该计算机程序可应用于本申请实施例中的网络设备,当该计算机程序在计算机上运行时,使得计算机执行本申请实施例的各个方法中由网络设备实现的相应流程,为了简洁,在此不再赘述。Optionally, the computer program can be applied to the network device in the embodiments of the present application. When the computer program is run on the computer, it causes the computer to execute the corresponding processes implemented by the network device in each method of the embodiments of the present application. For the sake of brevity. , and will not be repeated here.
可选地,该计算机程序可应用于本申请实施例中的移动终端/终端设备,当该计算机程序在计算机上运行时,使得计算机执行本申请实施例的各个方法中由移动终端/终端设备实现的相应流程,为了简洁,在此不再赘述。Optionally, the computer program can be applied to the mobile terminal/terminal device in the embodiments of the present application, and when the computer program runs on the computer, the computer program is implemented by the mobile terminal/terminal device in each method of the embodiments of the present application. The corresponding process, for the sake of brevity, will not be repeated here.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元 及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art can realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the system, device and unit described above may refer to the corresponding process in the foregoing method embodiments, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The functions, if implemented in the form of software functional units and sold or used as independent products, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution, and the computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program codes .
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应所述以权利要求的保护范围为准。The above are only specific embodiments of the present application, but the protection scope of the present application is not limited to this. should be covered within the scope of protection of this application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims (56)

  1. 一种接入认证的方法,其特征在于,包括:A method for access authentication, comprising:
    紫峰协议Zigbee设备生成第二随机数;The Zigbee device of Zifeng protocol generates the second random number;
    根据所述第二随机数和许可密钥生成第二设备端密钥,所述许可密钥是存放于所述Zigbee设备以及所述Zigbee设备的设备平台云中的密钥;Generate a second device-side key according to the second random number and a license key, where the license key is a key stored in the Zigbee device and the device platform cloud of the Zigbee device;
    根据所述第二设备端密钥进行所述Zigbee设备的第二接入认证。The second access authentication of the Zigbee device is performed according to the second device-side key.
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, wherein the method further comprises:
    所述Zigbee设备接收配网平台网关发送的第一随机数,其中,所述配网平台网关支持构建Zigbee网络;The Zigbee device receives the first random number sent by the distribution network platform gateway, wherein the distribution network platform gateway supports the construction of a Zigbee network;
    根据所述第一随机数和所述许可密钥生成第一设备端密钥,所述第一设备端密钥用于所述Zigbee设备的第一接入认证。A first device-side key is generated according to the first random number and the license key, where the first device-side key is used for first access authentication of the Zigbee device.
  3. 根据权利要求2所述的方法,其特征在于,所述Zigbee设备接收所述配网平台网关发送的第一随机数,包括:The method according to claim 2, wherein the Zigbee device receives the first random number sent by the distribution network platform gateway, comprising:
    所述Zigbee设备接收所述配网平台网关向所述Zigbee设备的自定义簇发送的随机数写入请求,所述随机数写入请求携带所述第一随机数。The Zigbee device receives a random number write request sent by the distribution network platform gateway to the custom cluster of the Zigbee device, where the random number write request carries the first random number.
  4. 根据权利要求2或3所述的方法,其特征在于,所述根据所述第一随机数和所述许可密钥生成第一设备端密钥,包括:The method according to claim 2 or 3, wherein the generating a first device-side key according to the first random number and the license key comprises:
    采用第一密钥生成算法,对所述第一随机数和所述许可密钥进行处理,生成所述第一设备端密钥。Using a first key generation algorithm, the first random number and the license key are processed to generate the first device-side key.
  5. 根据权利要求4所述的方法,其特征在于,所述第一密钥生成算法包括:AES-MMO哈希算法。The method according to claim 4, wherein the first key generation algorithm comprises: AES-MMO hash algorithm.
  6. 根据权利要求2-5中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 2-5, wherein the method further comprises:
    所述Zigbee设备通过所述配网平台网关和配网平台云向所述设备平台云发送所述第二随机数和所述第一设备端密钥,其中,所述配网平台云为所述配网平台网关对应的云端服务器,所述第二随机数用于所述设备平台云生成第二云端密钥,所述第二云端密钥用于所述Zigbee设备的第二接入认证。The Zigbee device sends the second random number and the first device key to the device platform cloud through the distribution network platform gateway and the distribution network platform cloud, wherein the distribution network platform cloud is the The cloud server corresponding to the distribution network platform gateway, the second random number is used for the device platform cloud to generate a second cloud key, and the second cloud key is used for the second access authentication of the Zigbee device.
  7. 根据权利要求6所述的方法,其特征在于,所述方法还包括:The method according to claim 6, wherein the method further comprises:
    所述Zigbee设备接收所述配网平台网关在所述第一接入认证的认证结果为认证成功的情况下发送的所述第一接入认证的认证结果和所述第二云端密钥,其中,所述第一接入认证的认证结果是所述设备云平台根据所述第一设备端密钥和第一云端密钥确定的,所述第一云端密钥是所述设备云平台根据所述第一随机数和所述许可密钥生成的。The Zigbee device receives the authentication result of the first access authentication and the second cloud key that are sent by the network distribution platform gateway under the condition that the authentication result of the first access authentication is successful authentication, wherein , the authentication result of the first access authentication is determined by the device cloud platform according to the first device end key and the first cloud key, and the first cloud key is determined by the device cloud platform according to the generated from the first random number and the license key.
  8. 根据权利要求7所述的方法,其特征在于,所述根据所述第二设备端密钥对配网平台网关进行第二接入认证,包括:The method according to claim 7, wherein the performing the second access authentication on the distribution network platform gateway according to the second device-side key comprises:
    所述Zigbee设备根据所述第二设备端密钥和所述第二云端密钥确定所述第二接入认证的认证结果。The Zigbee device determines the authentication result of the second access authentication according to the second device-side key and the second cloud key.
  9. 根据权利要求8所述的方法,其特征在于,所述方法还包括:The method according to claim 8, wherein the method further comprises:
    所述Zigbee设备向所述配网平台网关发送所述第二接入认证的认证结果。The Zigbee device sends the authentication result of the second access authentication to the network distribution platform gateway.
  10. 根据权利要求2-5中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 2-5, wherein the method further comprises:
    所述Zigbee设备通过所述配网平台网关和配网平台云向所述Zigbee设备的设备平台云发送所述第二随机数,其中,所述配网平台云为所述配网平台网关对应的云端服务器,所述第二随机数用于所述设备平台云生成第二云端密钥,所述第二云端密钥用于所述Zigbee设备的第二接入认证。The Zigbee device sends the second random number to the device platform cloud of the Zigbee device through the distribution network platform gateway and the distribution network platform cloud, wherein the distribution network platform cloud is the one corresponding to the distribution network platform gateway. a cloud server, where the second random number is used for the device platform cloud to generate a second cloud key, and the second cloud key is used for the second access authentication of the Zigbee device.
  11. 根据权利要求10所述的方法,其特征在于,所述方法还包括:The method of claim 10, wherein the method further comprises:
    所述Zigbee设备接收所述配网平台网关发送的所述第二云端密钥。The Zigbee device receives the second cloud key sent by the distribution network platform gateway.
  12. 根据权利要求11所述的方法,其特征在于,所述Zigbee设备接收所述配网平台网关发送的所述第二云端密钥,包括:The method according to claim 11, wherein the Zigbee device receiving the second cloud key sent by the distribution network platform gateway comprises:
    所述Zigbee设备接收所述配网平台网关向所述Zigbee设备的自定义簇发送的写入请求,所述写入请求携带所述第二云端密钥。The Zigbee device receives a write request sent by the distribution network platform gateway to the custom cluster of the Zigbee device, where the write request carries the second cloud key.
  13. 根据权利要求12所述的方法,其特征在于,所述根据所述第二设备端密钥对配网平台网关进行第二接入认证,包括:The method according to claim 12, wherein the performing the second access authentication on the distribution network platform gateway according to the second device-side key comprises:
    根据所述第二设备端密钥和所述第二云端密钥确定所述第二接入认证的认证结果。The authentication result of the second access authentication is determined according to the second device-side key and the second cloud key.
  14. 根据权利要求13所述的方法,其特征在于,所述方法还包括:The method of claim 13, wherein the method further comprises:
    所述Zigbee设备向所述配网平台网关发送所述第二接入认证的认证结果。The Zigbee device sends the authentication result of the second access authentication to the network distribution platform gateway.
  15. 根据权利要求14所述的方法,其特征在于,所述Zigbee设备向所述配网平台网关发送所述第二接入认证的认证结果,包括:The method according to claim 14, wherein the Zigbee device sends the authentication result of the second access authentication to the network distribution platform gateway, comprising:
    所述Zigbee设备在所述第二接入认证的认证结果为认证成功的情况下,向所述配网平台网关发送所述第二接入认证的认证结果。When the authentication result of the second access authentication is that the authentication is successful, the Zigbee device sends the authentication result of the second access authentication to the network distribution platform gateway.
  16. 根据权利要求13或14所述的方法,其特征在于,所述方法还包括:The method according to claim 13 or 14, wherein the method further comprises:
    所述Zigbee设备在所述第二接入认证的认证结果为认证失败的情况下,离开所述Zigbee网络。The Zigbee device leaves the Zigbee network when the authentication result of the second access authentication is authentication failure.
  17. 根据权利要求13-16中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 13-16, wherein the method further comprises:
    向所述配网平台网关发送第一指示信息,所述第一指示信息用于指示所述Zigbee设备离开所述Zigbee网络。Send first indication information to the distribution network platform gateway, where the first indication information is used to instruct the Zigbee device to leave the Zigbee network.
  18. 根据权利要求2-17中任一项所述的方法,其特征在于,所述第一设备端密钥存储于所述Zigbee设备的自定义簇中,所述第二设备端密钥存储于所述Zigbee设备的自定义簇中,所述自定义簇的访问类型为写后返回。The method according to any one of claims 2-17, wherein the first device-side key is stored in a custom cluster of the Zigbee device, and the second device-side key is stored in a In the self-defined cluster of the Zigbee device, the access type of the self-defined cluster is return after writing.
  19. 根据权利要求1-18中任一项所述的方法,其特征在于,所述根据所述第二随机数和许可密钥生成第二设备端密钥,包括:The method according to any one of claims 1-18, wherein the generating the second device-side key according to the second random number and the license key comprises:
    采用第二密钥生成算法,对所述第二随机数和所述许可密钥进行处理,生成所述第二设备端密钥。Using a second key generation algorithm, the second random number and the license key are processed to generate the second device-side key.
  20. 根据权利要求19所述的方法,其特征在于,所述第二密钥生成算法包括:AES-MMO哈希算法。The method of claim 19, wherein the second key generation algorithm comprises: an AES-MMO hash algorithm.
  21. 一种接入认证方法,其特征在于,包括:An access authentication method, comprising:
    设备平台云根据第一随机数和许可密钥生成第一云端密钥,其中,所述设备平台云是紫蜂协议Zigbee设备所属的厂商的云端服务器,所述许可密钥是存放于所述Zigbee设备以及所述Zigbee设备的设备平台云中的密钥,所述第一随机数是所述设备平台云生成的,或者所述第一随机数是从配网平台云获取的,所述配网平台云是支持构建Zigbee网络的配网平台网关对应的云端服务器;The device platform cloud generates the first cloud key according to the first random number and the license key, wherein the device platform cloud is the cloud server of the manufacturer to which the Zigbee device of the Zigbee protocol belongs, and the license key is stored in the Zigbee device. The device and the key in the device platform cloud of the Zigbee device, the first random number is generated by the device platform cloud, or the first random number is obtained from the distribution network platform cloud, the distribution network The platform cloud is the cloud server corresponding to the distribution network platform gateway that supports the construction of Zigbee network;
    根据所述第一云端密钥进行所述Zigbee设备的第一接入认证。The first access authentication of the Zigbee device is performed according to the first cloud key.
  22. 根据权利要求21所述的方法,其特征在于,所述方法还包括:The method of claim 21, wherein the method further comprises:
    所述设备平台云接收所述配网平台云发送的第一接入认证请求,所述第一接入认证请求包括第二随机数和第一设备端密钥,所述第二随机数是所述Zigbee设备生成的,所述第一设备端密钥是所述Zigbee设备根据所述第一随机数和所述许可密钥生成的;The device platform cloud receives the first access authentication request sent by the distribution network platform cloud, the first access authentication request includes a second random number and a first device-side key, and the second random number is the Generated by the Zigbee device, and the first device-side key is generated by the Zigbee device according to the first random number and the license key;
    根据所述第二随机数和所述许可密钥生成第二云端密钥,所述第二云端密钥用于所述Zigbee设备的第二接入认证。A second cloud key is generated according to the second random number and the license key, and the second cloud key is used for the second access authentication of the Zigbee device.
  23. 根据权利要求22所述的方法,其特征在于,所述根据所述第二随机数和所述许可密钥生成第二设备端密钥,包括:The method according to claim 22, wherein the generating a second device-side key according to the second random number and the license key comprises:
    所述设备平台云在第一接入认证的认证结果为认证成功的情况下,根据所述第二随机数和所述许可密钥生成所述第二云端密钥。The device platform cloud generates the second cloud key according to the second random number and the license key when the authentication result of the first access authentication is that the authentication is successful.
  24. 根据权利要求23所述的方法,其特征在于,所述方法还包括:The method of claim 23, wherein the method further comprises:
    所述设备平台云向所述配网平台云发送所述第一接入认证的认证结果和所述第二云端密钥。The device platform cloud sends the authentication result of the first access authentication and the second cloud key to the distribution network platform cloud.
  25. 根据权利要求21所述的方法,其特征在于,所述方法还包括:The method of claim 21, wherein the method further comprises:
    所述设备平台云接收所述配网平台云发送的第二随机数,所述第二随机数是所述Zigbee设备生成的;The device platform cloud receives a second random number sent by the distribution network platform cloud, where the second random number is generated by the Zigbee device;
    根据所述第二随机数和所述许可密钥生成第二云端密钥,所述第二云端密钥用于所述Zigbee设备的第二接入认证。A second cloud key is generated according to the second random number and the license key, and the second cloud key is used for the second access authentication of the Zigbee device.
  26. 根据权利要求25所述的方法,其特征在于,所述方法还包括:The method of claim 25, wherein the method further comprises:
    所述设备平台云向所述配网平台云发送所述第二云端密钥。The device platform cloud sends the second cloud key to the distribution network platform cloud.
  27. 根据权利要求26所述的方法,其特征在于,所述方法还包括:The method of claim 26, wherein the method further comprises:
    所述设备平台云接收所述配网平台云发送的第一接入认证请求,所述第一接入认证请求包括第一设备端密钥,所述第一设备端密钥是所述Zigbee设备根据所述第一随机数和所述许可密钥生成的。The device platform cloud receives a first access authentication request sent by the distribution network platform cloud, where the first access authentication request includes a first device-side key, and the first device-side key is the Zigbee device generated according to the first random number and the license key.
  28. 根据权利要求21-27中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 21-27, wherein the method further comprises:
    所述设备平台云接收配网平台云发送的第一请求,所述第一请求用于请求所述Zigbee设备的安装码和所述第一随机数,或者,所述第一请求用于请求所述第一随机数。The device platform cloud receives the first request sent by the distribution network platform cloud, where the first request is used to request the installation code and the first random number of the Zigbee device, or the first request is used to request the installation code of the Zigbee device and the first random number. the first random number.
  29. 根据权利要求28所述的方法,其特征在于,所述方法还包括:The method of claim 28, wherein the method further comprises:
    所述设备平台云向所述配网平台云发送所述Zigbee设备的安装码和所述第一随机数,或者,The device platform cloud sends the installation code of the Zigbee device and the first random number to the distribution network platform cloud, or,
    所述设备平台云向所述配网平台云发送所述第一随机数。The device platform cloud sends the first random number to the distribution network platform cloud.
  30. 根据权利要求28或29所述的方法,其特征在于,所述第一请求还包括:所述Zigbee设备的设备地址标识和所述Zigbee设备的厂商标识。The method according to claim 28 or 29, wherein the first request further comprises: a device address identifier of the Zigbee device and a manufacturer identifier of the Zigbee device.
  31. 一种接入认证方法,其特征在于,包括:An access authentication method, comprising:
    配网平台网关接收紫峰协议Zigbee设备发送的第二随机数和第一设备端密钥,其中,所述配网平台网关支持构建Zigbee网络,所述第一设备端密钥是所述Zigbee设备根据第一随机数和所述Zigbee设备的许可密钥生成的,所述第二随机数用于所述Zigbee设备的设备平台云确定第二云端密钥,所述第二云端密钥用于所述Zigbee设备的第二接入认证;The distribution network platform gateway receives the second random number and the first device-side key sent by the Zigbee device of the Zifeng protocol, wherein the distribution network platform gateway supports the construction of a Zigbee network, and the first device-side key is the Zigbee device according to The first random number is generated from the license key of the Zigbee device, the second random number is used for the device platform cloud of the Zigbee device to determine the second cloud key, and the second cloud key is used for the Second access authentication for Zigbee devices;
    所述配网平台网关向配网平台云发送第一接入认证请求,所述第一接入认证请求包括所述第二随机数,或者所述第一接入认证请求包括所述第二随机数和所述第一设备端密钥,所述第一设备端密钥用于所述设备平台云对所述Zigbee设备进行第一接入认证,所述配网平台云是所述配网平台网关对应的云端服务器。The distribution network platform gateway sends a first access authentication request to the distribution network platform cloud, where the first access authentication request includes the second random number, or the first access authentication request includes the second random number number and the first device-side key, the first device-side key is used for the first access authentication of the Zigbee device by the device platform cloud, and the distribution network platform cloud is the distribution network platform The cloud server corresponding to the gateway.
  32. 根据权利要求31所述的方法,其特征在于,所述方法还包括:The method of claim 31, wherein the method further comprises:
    所述配网平台网关接收所述配网平台云发送的所述第二云端密钥,或所述第一接入认证的认证结果和所述第二云端密钥,其中,所述第一接入认证的认证结果是所述设备云平台根据所述第一设备端密钥和第一云端密钥确定的,所述第一云端密钥是所述设备云平台根据所述第一随机数和所述许可密钥生成的。The distribution network platform gateway receives the second cloud key sent by the distribution network platform cloud, or the authentication result of the first access authentication and the second cloud key, wherein the first access authentication The authentication result of the incoming authentication is determined by the device cloud platform according to the first device-side key and the first cloud key, and the first cloud key is determined by the device cloud platform according to the first random number and the first cloud key. the license key is generated.
  33. 根据权利要求32所述的方法,其特征在于,所述方法还包括:The method of claim 32, wherein the method further comprises:
    所述配网平台网关向所述Zigbee设备的自定义簇发送写入请求,所述写入请求携带所述第二云端密钥。The distribution network platform gateway sends a write request to the custom cluster of the Zigbee device, where the write request carries the second cloud key.
  34. 根据权利要求33所述的方法,其特征在于,所述配网平台网关向所述Zigbee设备的自定义簇发送写入请求,包括:The method according to claim 33, wherein the distribution network platform gateway sends a write request to the self-defined cluster of the Zigbee device, comprising:
    在所述第一接入认证的认证结果为认证成功的情况下,所述配网平台网关向所述Zigbee设备的自定义簇发送所述写入请求。When the authentication result of the first access authentication is that the authentication is successful, the network configuration platform gateway sends the write request to the custom cluster of the Zigbee device.
  35. 根据权利要求33所述的方法,其特征在于,所述方法还包括:The method of claim 33, wherein the method further comprises:
    在所述第一接入认证的认证结果为认证失败的情况下,所述配网平台网关将所述Zigbee设备添加至设备黑名单,并将所述Zigbee设备移出所述Zigbee网络。In the case that the authentication result of the first access authentication is authentication failure, the network distribution platform gateway adds the Zigbee device to the device blacklist, and removes the Zigbee device from the Zigbee network.
  36. 根据权利要求32或33所述的方法,其特征在于,所述方法还包括:The method according to claim 32 or 33, wherein the method further comprises:
    在所述第二接入认证的认证结果为认证失败的情况下,接收所述Zigbee设备发送的 第一指示信息,所述第一指示信息用于指示所述Zigbee设备离开所述Zigbee网络;In the case that the authentication result of the second access authentication is an authentication failure, receive first indication information sent by the Zigbee device, where the first indication information is used to instruct the Zigbee device to leave the Zigbee network;
    所述配网平台网关将所述Zigbee设备添加至设备黑名单。The distribution network platform gateway adds the Zigbee device to a device blacklist.
  37. 根据权利要求31-36中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 31-36, wherein the method further comprises:
    所述配网平台网关向所述配网平台云发送的第一请求,所述第一请求用于请求所述Zigbee设备的安装码和所述第一随机数,或者,所述第一请求用于请求所述第一随机数。The first request sent by the distribution network platform gateway to the distribution network platform cloud, where the first request is used to request the installation code of the Zigbee device and the first random number, or the first request uses for requesting the first random number.
  38. 根据权利要求37所述的方法,其特征在于,所述方法还包括:The method of claim 37, wherein the method further comprises:
    所述配网平台网关接收所述配网平台云发送的所述Zigbee设备的安装码和所述第一随机数,或者,The distribution network platform gateway receives the installation code and the first random number of the Zigbee device sent by the distribution network platform cloud, or,
    所述配网平台网关接收所述配网平台云发送的所述第一随机数。The distribution network platform gateway receives the first random number sent by the distribution network platform cloud.
  39. 根据权利要求37或38所述的方法,其特征在于,所述第一请求还包括:所述Zigbee设备的设备地址标识和所述Zigbee设备的厂商标识。The method according to claim 37 or 38, wherein the first request further comprises: a device address identifier of the Zigbee device and a manufacturer identifier of the Zigbee device.
  40. 根据权利要求31-39中任一项所述的方法,其特征在于,所述第一接入认证请求还包括所述Zigbee设备的设备地址标识和所述Zigbee设备的厂商标识。The method according to any one of claims 31-39, wherein the first access authentication request further includes a device address identifier of the Zigbee device and a manufacturer identifier of the Zigbee device.
  41. 一种接入认证的方法,其特征在于,包括:A method for access authentication, comprising:
    获取紫峰协议Zigbee设备的设备信息,其中,所述Zigbee设备的设备信息包括所述Zigbee设备的设备协议类型,所述Zigbee设备的设备地址标识和所述Zigbee设备的厂商标识;Obtain the device information of the Zigbee device of the Zigbee protocol, wherein the device information of the Zigbee device includes the device protocol type of the Zigbee device, the device address identifier of the Zigbee device and the manufacturer identifier of the Zigbee device;
    根据所述Zigbee设备所属的设备协议类型确定配网平台网关,其中,所述配网平台网关支持构建Zigbee网络;The distribution network platform gateway is determined according to the device protocol type to which the Zigbee device belongs, wherein the distribution network platform gateway supports the construction of a Zigbee network;
    向所述配网平台网关发送所述Zigbee设备的设备信息。Send the device information of the Zigbee device to the distribution network platform gateway.
  42. 根据权利要求41所述的方法,其特征在于,所述Zigbee设备的设备地址标识包括所述Zigbee设备的媒体接入控制MAC地址。The method according to claim 41, wherein the device address identifier of the Zigbee device comprises a media access control MAC address of the Zigbee device.
  43. 根据权利要求41或42所述的方法,其特征在于,所述Zigbee设备的设备信息还包括:所述Zigbee设备的安装码。The method according to claim 41 or 42, wherein the device information of the Zigbee device further comprises: an installation code of the Zigbee device.
  44. 根据权利要求43所述的方法,其特征在于,所述Zigbee设备的安装码为所述Zigbee设备的PIN码。The method according to claim 43, wherein the installation code of the Zigbee device is a PIN code of the Zigbee device.
  45. 一种接入认证装置,其特征在于,用于实现为Zigbee设备,或者用于实现为Zigbee设备中的部分,包括:An access authentication device, characterized in that it is used to be implemented as a Zigbee device, or used to be implemented as a part of the Zigbee device, comprising:
    处理单元,用于生成第二随机数;a processing unit for generating a second random number;
    根据所述第二随机数和许可密钥生成第二设备端密钥,所述许可密钥是存放于所述Zigbee设备以及所述Zigbee设备的设备平台云中的密钥;以及generating a second device-side key according to the second random number and a license key, the license key being a key stored in the Zigbee device and the device platform cloud of the Zigbee device; and
    根据所述第二设备端密钥进行所述Zigbee设备的第二接入认证。The second access authentication of the Zigbee device is performed according to the second device-side key.
  46. 一种接入认证装置,其特征在于,用于实现为所述设备平台云,或者用于实现为所述设备平台云中的部分,包括:An access authentication device, characterized in that it is implemented as the device platform cloud, or implemented as a part of the device platform cloud, comprising:
    处理单元,用于根据第一随机数和许可密钥生成第一云端密钥,其中,所述设备平台云是紫蜂协议Zigbee设备所属的厂商的云端服务器,所述许可密钥是存放于所述Zigbee设备以及所述设备平台云中的密钥,所述第一随机数是所述设备平台云生成的,或者所述第一随机数是从配网平台云获取的,所述配网平台云是支持构建Zigbee网络的配网平台网关对应的云端服务器;以及The processing unit is configured to generate the first cloud key according to the first random number and the license key, wherein the device platform cloud is the cloud server of the manufacturer to which the Zigbee device of the Zigbee protocol belongs, and the license key is stored in the cloud server. The Zigbee device and the key in the device platform cloud, the first random number is generated by the device platform cloud, or the first random number is obtained from the distribution network platform cloud, the distribution network platform Cloud is the cloud server corresponding to the distribution platform gateway that supports building Zigbee networks; and
    根据所述第一云端密钥进行所述Zigbee设备的第一接入认证。The first access authentication of the Zigbee device is performed according to the first cloud key.
  47. 一种接入认证装置,其特征在于,用于实现为所述配网平台网关,或者用于实现为所述配网平台网关中的部分,包括:An access authentication device, characterized in that it is used to be implemented as the distribution network platform gateway, or to be implemented as a part of the distribution network platform gateway, comprising:
    通信单元,用于接收紫峰协议Zigbee设备发送的第二随机数和第一设备端密钥,其中,所述配网平台网关支持构建Zigbee网络,所述第一设备端密钥是所述Zigbee设备根据第一随机数和所述Zigbee设备的许可密钥生成的,所述第二随机数用于所述Zigbee设备的设备平台云确定第二云端密钥,所述第二云端密钥用于所述Zigbee设备的第二接入 认证;以及The communication unit is used to receive the second random number and the first device-side key sent by Zigbee device of Zifeng protocol, wherein, the network distribution platform gateway supports the construction of Zigbee network, and the first device-side key is the Zigbee device Generated according to the first random number and the license key of the Zigbee device, the second random number is used for the device platform cloud of the Zigbee device to determine the second cloud key, and the second cloud key is used for all the second access authentication of the Zigbee device; and
    向配网平台云发送第一接入认证请求,所述第一接入认证请求包括所述第二随机数,或者所述第一接入认证请求包括所述第二随机数和所述第一设备端密钥,所述第一设备端密钥用于所述设备平台云对所述Zigbee设备进行第一接入认证,所述配网平台云是所述配网平台网关对应的云端服务器。Send a first access authentication request to the distribution network platform cloud, where the first access authentication request includes the second random number, or the first access authentication request includes the second random number and the first A device-side key, where the first device-side key is used for the device platform cloud to perform first access authentication for the Zigbee device, and the distribution network platform cloud is a cloud server corresponding to the distribution network platform gateway.
  48. 一种接入认证装置,其特征在于,包括:An access authentication device, comprising:
    通信单元,用于获取紫峰协议Zigbee设备的设备信息,其中,所述Zigbee设备的设备信息包括所述Zigbee设备的设备协议类型,所述Zigbee设备的设备地址标识和所述Zigbee设备的厂商标识;The communication unit is used to obtain the device information of Zigbee device of Zigbee protocol, wherein, the device information of said Zigbee device includes the device protocol type of said Zigbee device, the device address identification of said Zigbee device and the manufacturer identification of said Zigbee device;
    处理单元,用于根据所述Zigbee设备所属的设备协议类型确定配网平台网关,其中,所述配网平台网关支持构建Zigbee网络;a processing unit, configured to determine a distribution network platform gateway according to the device protocol type to which the Zigbee device belongs, wherein the distribution network platform gateway supports the construction of a Zigbee network;
    所述通信单元还用于:向所述配网平台网关发送所述Zigbee设备的设备信息。The communication unit is further configured to send the device information of the Zigbee device to the distribution network platform gateway.
  49. 一种接入认证装置,其特征在于,包括:处理器和存储器,该存储器用于存储计算机程序,所述处理器用于调用并运行所述存储器中存储的计算机程序,执行如权利要求1至20中任一项所述的方法。An access authentication device, characterized in that it comprises: a processor and a memory, the memory is used for storing a computer program, the processor is used for calling and running the computer program stored in the memory, and executes the computer program according to claims 1 to 20 The method of any of the above.
  50. 一种接入认证装置,其特征在于,包括:处理器和存储器,该存储器用于存储计算机程序,所述处理器用于调用并运行所述存储器中存储的计算机程序,执行如权利要求21至30中任一项所述的方法。An access authentication device, characterized in that it comprises: a processor and a memory, the memory is used for storing a computer program, the processor is used for calling and running the computer program stored in the memory, and executes the computer program according to claims 21 to 30 The method of any of the above.
  51. 一种接入认证装置,其特征在于,包括:处理器和存储器,该存储器用于存储计算机程序,所述处理器用于调用并运行所述存储器中存储的计算机程序,执行如权利要求31至40中任一项所述的方法。An access authentication device, characterized in that it comprises: a processor and a memory, the memory is used for storing a computer program, the processor is used for calling and running the computer program stored in the memory, and executes the computer program according to claims 31 to 40 The method of any of the above.
  52. 一种接入认证装置,其特征在于,包括:处理器和存储器,该存储器用于存储计算机程序,所述处理器用于调用并运行所述存储器中存储的计算机程序,执行如权利要求41至44中任一项所述的方法。An access authentication device, characterized in that it comprises: a processor and a memory, the memory is used to store a computer program, the processor is used to call and run the computer program stored in the memory, and execute the computer program as claimed in claims 41 to 44 The method of any of the above.
  53. 一种芯片,其特征在于,包括:处理器,用于从存储器中调用并运行计算机程序,使得安装有所述芯片的设备执行如权利要求1至20中任一项所述的方法,或者,如权利要求21至30中任一项所述的方法,或者,如权利要求31至40中任一项所述的方法,或者如权利要求41至44中任一项所述的方法。A chip, characterized in that it includes: a processor for calling and running a computer program from a memory, so that a device installed with the chip executes the method according to any one of claims 1 to 20, or, A method as claimed in any one of claims 21 to 30, or a method as claimed in any one of claims 31 to 40, or a method as claimed in any one of claims 41 to 44.
  54. 一种计算机可读存储介质,其特征在于,用于存储计算机程序,所述计算机程序使得计算机执行如权利要求1至20中任一项所述的方法,或者,如权利要求21至30中任一项所述的方法,或者,如权利要求31至40中任一项所述的方法,或者如权利要求41至44中任一项所述的方法。A computer-readable storage medium, characterized by being used for storing a computer program, the computer program causing a computer to execute the method according to any one of claims 1 to 20, or, as in any one of claims 21 to 30 A method as claimed in any one of claims 31 to 40 or as a method as claimed in any one of claims 41 to 44.
  55. 一种计算机程序产品,其特征在于,包括计算机程序指令,该计算机程序指令使得计算机执行如权利要求1至20中任一项所述的方法,或者,如权利要求21至30中任一项所述的方法,或者,如权利要求31至40中任一项所述的方法,或者如权利要求41至44中任一项所述的方法。A computer program product, characterized by comprising computer program instructions that cause a computer to perform a method as claimed in any one of claims 1 to 20, or, as claimed in any one of claims 21 to 30 The method described above, or the method of any one of claims 31 to 40, or the method of any one of claims 41 to 44.
  56. 一种计算机程序,其特征在于,所述计算机程序使得计算机执行如权利要求1至20中任一项所述的方法,或者,如权利要求21至30中任一项所述的方法,或者,如权利要求31至40中任一项所述的方法,或者如权利要求41至44中任一项所述的方法。A computer program, characterized in that the computer program causes a computer to perform the method as claimed in any one of claims 1 to 20, or, the method as claimed in any one of claims 21 to 30, or, A method as claimed in any one of claims 31 to 40, or a method as claimed in any one of claims 41 to 44.
PCT/CN2021/071140 2021-01-11 2021-01-11 Access authentication method and apparatus WO2022147843A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2021/071140 WO2022147843A1 (en) 2021-01-11 2021-01-11 Access authentication method and apparatus
CN202180080426.0A CN116547998A (en) 2021-01-11 2021-01-11 Method and device for access authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/071140 WO2022147843A1 (en) 2021-01-11 2021-01-11 Access authentication method and apparatus

Publications (1)

Publication Number Publication Date
WO2022147843A1 true WO2022147843A1 (en) 2022-07-14

Family

ID=82357666

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/071140 WO2022147843A1 (en) 2021-01-11 2021-01-11 Access authentication method and apparatus

Country Status (2)

Country Link
CN (1) CN116547998A (en)
WO (1) WO2022147843A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104735054A (en) * 2015-02-06 2015-06-24 西安电子科技大学 Digital family equipment trusted access platform and authentication method
US20180367518A1 (en) * 2017-06-16 2018-12-20 Amazon Technologies, Inc. Device identification and authentication in a network
CN111163107A (en) * 2020-01-03 2020-05-15 杭州涂鸦信息技术有限公司 Zigbee safety communication method and system
CN112152969A (en) * 2019-06-27 2020-12-29 北京微云智联科技有限公司 Internet of things gateway and method for accessing Internet of things equipment into gateway

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104735054A (en) * 2015-02-06 2015-06-24 西安电子科技大学 Digital family equipment trusted access platform and authentication method
US20180367518A1 (en) * 2017-06-16 2018-12-20 Amazon Technologies, Inc. Device identification and authentication in a network
CN112152969A (en) * 2019-06-27 2020-12-29 北京微云智联科技有限公司 Internet of things gateway and method for accessing Internet of things equipment into gateway
CN111163107A (en) * 2020-01-03 2020-05-15 杭州涂鸦信息技术有限公司 Zigbee safety communication method and system

Also Published As

Publication number Publication date
CN116547998A (en) 2023-08-04

Similar Documents

Publication Publication Date Title
US20230084344A1 (en) Private cloud control
US11184767B2 (en) Methods and systems for automatically connecting to a network
US11362898B2 (en) Network policy configuration
US11184768B2 (en) Methods and systems for automatically connecting to a network
WO2019149097A1 (en) Method and system for apparatus awaiting network configuration to access hot spot network apparatus
JP6756009B2 (en) Data transmission
WO2019011203A1 (en) Device access method, device and system
US20170238183A1 (en) Mac address-bound wlan password
JP6970256B2 (en) Configuring remote electronic devices with peer electronic devices in a network environment
WO2018045983A1 (en) Information processing method and device, and network system
US11564092B2 (en) Methods and systems for automatically connecting to a network
CN110602693B (en) Networking method and equipment of wireless network
WO2022147843A1 (en) Access authentication method and apparatus
US20230107045A1 (en) Method and system for self-onboarding of iot devices
US20220174490A1 (en) System, method, storage medium and equipment for mobile network access
EP4187953A1 (en) Communication method, apparatus and system
WO2022116110A1 (en) Access authentication method and apparatus, device, and storage medium
JP2008244945A (en) Wireless connection environment setting system, wireless connection environment setting server, information terminal, and program
EP4092957A1 (en) Secure and trusted peer-to-peer offline communication systems and methods
WO2022217602A1 (en) Method for establishing device binding relationship, and device
US20220338008A1 (en) Method and apparatus for managing events in a wireless communication system
WO2022104740A1 (en) Method and apparatus for updating non-public network subscription information
WO2023000318A1 (en) Address verification method and corresponding device
WO2020057315A1 (en) Authentication method, device, and system
US11412377B2 (en) Method of configuring a multimedia device intended to be connected to an interconnection device

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 202180080426.0

Country of ref document: CN

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21916896

Country of ref document: EP

Kind code of ref document: A1