WO2022170583A1 - Procédé et appareil de configuration d'autorisation dans l'internet des objets, dispositif, et support de stockage - Google Patents

Procédé et appareil de configuration d'autorisation dans l'internet des objets, dispositif, et support de stockage Download PDF

Info

Publication number
WO2022170583A1
WO2022170583A1 PCT/CN2021/076574 CN2021076574W WO2022170583A1 WO 2022170583 A1 WO2022170583 A1 WO 2022170583A1 CN 2021076574 W CN2021076574 W CN 2021076574W WO 2022170583 A1 WO2022170583 A1 WO 2022170583A1
Authority
WO
WIPO (PCT)
Prior art keywords
client device
information
verification
certificate
configuration
Prior art date
Application number
PCT/CN2021/076574
Other languages
English (en)
Chinese (zh)
Inventor
茹昭
张军
吕小强
包永明
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to PCT/CN2021/076574 priority Critical patent/WO2022170583A1/fr
Priority to CN202180070751.9A priority patent/CN116325661A/zh
Publication of WO2022170583A1 publication Critical patent/WO2022170583A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/77Graphical identity

Definitions

  • the present application relates to the technical field of the Internet of Things, and in particular, to a method, apparatus, device, and storage medium for rights configuration in the Internet of Things.
  • the user can remotely control the functional operation of the server device through the client device.
  • IOT Internet of Things
  • the administrator of the server device can share the access control authority of the server device to other users.
  • the process of sharing the access control authority of the server device is as follows: the client device of the manager of the server device generates an activation token, and provides the activation token to the server device and the client device of the shareee respectively; After the client device of the shareee and the server device are authenticated through the activation token and a secure connection is established, the access control authority of the client device of the shareee to the server device is configured.
  • the server device will be controlled by the illegal client device, which affects the security of access control authority sharing of the server device.
  • Embodiments of the present application provide a method, apparatus, device, and storage medium for rights configuration in the Internet of Things.
  • the technical solution is as follows:
  • an embodiment of the present application provides a method for configuring rights in the Internet of Things, where the method is executed by a first client device, and the first client device has management rights of a server device; the method includes:
  • the first verification information is generated based on the first random value
  • an embodiment of the present application provides a method for configuring rights in the Internet of Things, the method is executed by a second client device, and the method includes:
  • the first client device has the management authority of the server device;
  • Two client devices open permissions; the first verification information is generated based on the first random value.
  • an embodiment of the present application provides a method for configuring rights in the Internet of Things, the method is executed by a server device, and the method includes:
  • Receive configuration trigger information sent by a first client device is that the first client device sends a first verification request containing a first random value to a second client device, and receives the second client device
  • the permission is opened to the second client device.
  • an embodiment of the present application provides an apparatus for configuring rights in the Internet of Things, the apparatus is used in a first client device, and the first client device has management rights of a server device; the apparatus include:
  • a first verification request sending module configured to send a first verification request to the second client device, where the first verification request includes a first random value
  • a first verification information receiving module configured to receive the first verification information sent by the second client device; the first verification information is generated based on the first random value;
  • a first verification module configured to verify the first verification information
  • a configuration triggering module is configured to trigger the server device to open permissions to the second client device through the configuration trigger information when the first verification information passes the verification.
  • an embodiment of the present application provides an apparatus for configuring rights in the Internet of Things, where the apparatus is used in a second client device, and the apparatus includes:
  • a first verification request receiving module configured to receive a first verification request sent by a first client device, where the first verification request includes a first random value; the first client device has the administrative rights;
  • a first verification information sending module configured to send first verification information to the first client device, so that the first client device can configure trigger information after passing the verification of the first verification information triggering the server device to open permissions to the second client device; the first verification information is generated based on the first random value.
  • an embodiment of the present application provides an apparatus for configuring permissions in the Internet of Things, where the apparatus is used in a server device, and the apparatus includes:
  • a configuration trigger information receiving module configured to receive the configuration trigger information sent by the first client device;
  • the configuration trigger information is that the first client device sends a first check containing a first random value to the second client device request, receive the first verification information sent by the second client device, and send the first verification information after passing the verification; the first verification information is generated based on the first random value of;
  • a rights opening module configured to open rights to the second client device according to the configuration trigger information.
  • an embodiment of the present application provides an IoT device, the IoT device includes a processor, a memory, and a transceiver, the memory stores a computer program, and the computer program is configured to be executed by the processor , in order to realize the above-mentioned permission configuration method in the Internet of Things.
  • an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is loaded and executed by a processor to implement the above method for configuring rights in the Internet of Things.
  • the present application also provides a chip, which is used to run in an IoT device, so that the IoT device executes the above-mentioned permission configuration method in the IoT.
  • the present application provides a computer program product comprising computer instructions stored in a computer-readable storage medium.
  • the processor of the Internet of Things device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the Internet of Things device executes the above-mentioned permission configuration method in the Internet of Things.
  • the present application provides a computer program, the computer program being executed by a processor of an Internet of Things device, so as to implement the above method for configuring rights in the Internet of Things.
  • the first client device Before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then verifies the verification information to verify the second client
  • the legitimacy of the terminal device after verifying the legality of the second client device, share the authority of the server device with the second client device, so as to avoid sharing the access control authority of the server device to the illegal client device. situation, improve the security of the access control permission sharing of the server device.
  • FIG. 1 is a schematic diagram of a network architecture of the Internet of Things provided by an embodiment of the present application.
  • FIG. 2 is a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application
  • FIG. 3 is a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application
  • FIG. 4 is a schematic diagram of a permission sharing process flow of the server device involved in the embodiment shown in FIG. 3;
  • FIG. 5 is a schematic diagram of a rights sharing process flow of the server device involved in the embodiment shown in FIG. 3;
  • FIG. 6 is a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application
  • Fig. 7 is a schematic diagram of a permission sharing process flow of the server device involved in the embodiment shown in Fig. 6;
  • FIG. 8 is a block diagram of an apparatus for configuring rights in the Internet of Things provided by an embodiment of the present application.
  • FIG. 9 is a block diagram of an apparatus for configuring rights in the Internet of Things provided by an embodiment of the present application.
  • FIG. 10 is a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application.
  • FIG. 11 is a schematic structural diagram of an Internet of Things device provided by an embodiment of the present application.
  • the network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application.
  • the evolution of new business scenarios and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
  • FIG. 1 shows a schematic diagram of a network architecture of the Internet of Things provided by an embodiment of the present application.
  • the network architecture of the Internet of Things may include: a server device 110 and at least two client devices 120; optionally, the network architecture may further include a gateway device 130, a cloud server 140, and the like;
  • the server device 110 may be a device for providing Internet of Things functional services.
  • the server device 110 may be a smart home device, for example, a smart lamp, a smart TV, a smart air conditioner, a smart refrigerator, a smart microwave oven, a smart rice cooker, a cleaning robot, and the like.
  • the server device 110 may be an industrial production device such as a lathe, an industrial robot, a solar panel, a wind turbine, and the like.
  • the server device 110 may be a commercial service device, such as a vending machine or the like.
  • the server device 110 may be an intelligent monitoring device, such as a monitoring camera, an infrared sensor, a sound sensor, a temperature sensor, and the like.
  • the client device 120 is a terminal device on the user side.
  • the client device may be a smart phone, a tablet computer, a smart watch, etc.; or, the client device may also be a personal computer, such as a desktop computer, a laptop computer, a personal workstation, and the like.
  • the client device 120 is a client entity (which may be a virtual entity) running based on the terminal device.
  • An application Application, APP
  • An application that performs operations such as access, control, and management.
  • At least one client device 120 has the management authority of the server device 110 .
  • the gateway device 130 is a network device that realizes network interconnection above the network layer, and is also called an internet connection, a protocol converter, and the like.
  • the gateway device 130 provides network connection services for the server device 110 .
  • the gateway device 130 may be a professional gateway, such as a home gateway, or the gateway device 130 may also be an access device with a gateway function, such as a router with a gateway function.
  • the cloud server 140 is a server deployed on the network side.
  • the above-mentioned server device 110, client device 120, gateway device 130, and cloud server 140 may be IoT devices that meet industry standards, for example, may be IoT devices that meet the requirements of the Open Connectivity Foundation (OCF). ) specification for IoT devices.
  • OCF Open Connectivity Foundation
  • the server device 110 and the gateway device 130 are connected through a wired or wireless network, and the cloud server 140 is respectively connected with the gateway device 130 and the client device 120 through a wired or wireless network.
  • the above wired or wireless network uses standard communication technologies and/or protocols.
  • the above wired or wireless network may be a communication network based on the IoT protocol of the Internet of Things.
  • different client devices may be in different Internet Ecosystems.
  • the ecological environment of a smart home refers to a collection of devices that have the same trust center and can communicate with each other; Certificates between devices can be exchanged for device control; devices in manufacturer A's Internet ecological environment issue certificates through manufacturer A's platform.
  • the device with the certificate of the platform of manufacturer A and the device with the certificate of the platform of manufacturer B cannot communicate with each other even if they are connected to the same local area network, that is, the two belong to different Internet ecological environments.
  • the process can be as follows:
  • the APP installed in Alice's smartphone that is, the APP of the A ecology generates an activation token (Onboarding Token, OT).
  • a ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the activation token OT.
  • a ecological APP shares OT to the application installed in Bob's smartphone, namely B ecological APP, through out-of-band methods such as email and voice.
  • the B ecology APP creates a fabric ID (fabricID) for the home network.
  • the B ecological APP sends the CSR.bulb and fabricID to the B ecological certification center (Certificate Authority, CA) to request the device certificate.
  • CA Certificate Authority
  • the device certificate B.OC.bulb is generated and returned to the B ecological APP.
  • the device certificate is also called the device operation credential (Operational Credential, OC).
  • the B ecological APP configures the device certificate B.OC.bulb and the access control authority ACL.Bulb.B.APP1 to the Bulb. That is, add ACL.Bulb.B.APP1 to Bulb's Access Control List (ACL).
  • ACL Access Control List
  • FIG. 2 shows a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application.
  • the method can be executed interactively between a first client device, a second client device, and a server device.
  • the first client device and the second client device may be the client device 120 of the network architecture shown in FIG. 1
  • the server device may be the server device 110 of the network architecture shown in FIG. 1; the method It can include the following steps:
  • Step 201 the first client device sends a first verification request to the second client device, where the first verification request includes a first random value; correspondingly, the second client device receives the first random value.
  • the first client device may be a client device having the management authority of the server device.
  • Step 202 the second client device sends first verification information to the first client device, where the first verification information is generated based on the first random value.
  • Step 203 the first client device verifies the first verification information.
  • Step 204 when the first verification information passes the verification, the first client device triggers the server device to open the authority to the second client device by configuring the trigger information.
  • Step 205 The server device receives the configuration trigger information sent by the first client device, and opens the authority to the second client device according to the configuration trigger information.
  • the first client device before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
  • a channel for validating the root certificate of the second client device can be provided for the first client device.
  • FIG. 3 shows a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application.
  • the method can be executed interactively between a first client device, a second client device, and a server device.
  • the first client device and the second client device may be the client device 120 of the network architecture shown in FIG. 1
  • the server device may be the server device 110 of the network architecture shown in FIG. 1; the method It can include the following steps:
  • Step 301 Establish a first secure connection between the first client device and the second client device.
  • a secure connection with the second client device may be established first.
  • a direct secure connection may be established between the first client device and the second client device.
  • the second client device may display a two-dimensional code, which carries the connection establishment information of the second client device; the first client device scans the two-dimensional code displayed by the second client device to obtain connection establishment information of the second client device; after that, the first client device and the second client device establish a first secure connection between the first client device and the second client device according to the connection establishment information .
  • a secure connection may be established between the first client device and the second client device through a cloud server, for example, a secure connection may be established through a server of an instant messaging platform.
  • a secure connection may be established between the first client device and the second client device through a local area network device, for example, a secure connection may be established through a routing device in the local area network.
  • the first client device and the second client device belong to different IoT ecosystems respectively.
  • the above-mentioned first client device and the second client device belong to the same IoT ecosystem.
  • Step 302 the first client device sends a first verification request to the second client device, and the first verification request includes a first random value; correspondingly, the second client device receives the first verification request including the first random value. Verify the request.
  • the first client device may be a client device having the management authority of the server device.
  • the first client device may send a first verification request including the first random value to the second client device through the first secure connection with the second client device.
  • Step 303 the second client device sends the first verification information to the first client device, and accordingly, the first client device receives the first verification information;
  • the first verification information includes the first signature information, the first verification information, and the first verification information.
  • the first signature information is obtained by signing the target data with the first private key of the second client device;
  • the target data includes a first random Value; the first operational credential is issued through the first root certificate.
  • the target data further includes at least one of a first root certificate and a first operation certificate.
  • the first client device may use the first private key to sign the first random value (optionally including the first root certificate and/or the first operation certificate) to obtain the above-mentioned first signature information .
  • the above-mentioned first private key may be a private key used for operation in the second client device.
  • the first operation credential is issued by a second private key of the second client device; wherein, the second private key may be the private key of the root certificate of the second client device.
  • the second client device is provided with a first private key and a first public key for operation.
  • the root certificate of the second client device also corresponds to a pair of public and private keys, namely the second private key and second public key.
  • the second client device receives the first verification request containing the first random value sent by the first client device, and can use the first private key to sign the target data. For example, the second client device can verify the first random value. Hash calculation is performed on the value of the first random value to obtain the hash value of the first random value, and then the first private key is used to encrypt the hash value of the first random value to obtain the first signature information.
  • the above-mentioned first operation credential may be issued by a cloud platform (such as a certification center) corresponding to the second client device based on the root certificate.
  • a cloud platform such as a certification center
  • the second client device opens the APP for the first time, it can apply for an APP certificate (ie, the above-mentioned first operation certificate) to the corresponding cloud platform, and the cloud platform issues the APP certificate for the second client device according to the root certificate.
  • the process of verifying the first verification information reference may be made to subsequent steps 304 to 306 .
  • Step 304 the first client device performs a legality query on the first root certificate, and obtains a legality authentication result of the first root certificate.
  • the root certificates of each IoT ecological environment are stored in a common blockchain (Ledger).
  • the root certificates of each IoT ecosystem are stored on a common server, and the server takes security measures so that the stored root certificates can only be queried and cannot be tampered with; or, the root certificates of each IoT ecosystem are stored on their own servers.
  • the server takes security measures so that the stored root certificate can only be queried and cannot be tampered with.
  • the APP in each client device stores the root certificate of each IoT ecological environment, and ensures that the stored root certificate is safe and tamper-proof.
  • the above-mentioned method of performing a legality query on the first root certificate and obtaining the legality authentication result of the first root certificate may include:
  • the first client device when the root certificates of each IoT ecological environment are uniformly stored on the blockchain, the first client device can query the blockchain for the first root certificate to obtain the legality of the first root certificate Sexual certification results.
  • the first client device may send the first root certificate to the blockchain, and the blockchain returns the validity authentication result of the first root certificate.
  • the first client device when the root certificates of each IoT ecological environment are uniformly stored in the server, the first client device stores the preset address of the server, and the first client device can, according to the preset address, The server is queried for the first root certificate, and the validity authentication result of the first root certificate is obtained.
  • the server corresponding to the query address for the first root certificate Querying the server corresponding to the query address for the first root certificate, and obtaining the validity authentication result of the first root certificate; wherein, the first verification information also includes the query address.
  • the first verification information returned by the second client device when the root certificates of each IoT ecological environment are stored in their respective servers, the first verification information returned by the second client device also carries the object where the second client device is located.
  • the first client device can query the server for the first root certificate according to the query address carried in the first verification information to obtain the legality authentication of the first root certificate. result.
  • the first client device can query the first root certificate locally, so as to obtain the legality of the first root certificate. For example, the first client device inquires whether the first root certificate has been stored locally, and if so, confirms that the first root certificate is valid, otherwise, confirms that the first root certificate is invalid.
  • Step 305 when the validity authentication result indicates that the first root certificate is valid, the first client device verifies the first operation certificate according to the first root certificate.
  • the above-mentioned step of verifying the first operation credential according to the first root certificate may include:
  • the first operation credential is verified according to the second public key of the second client device carried in the first root certificate.
  • the first root certificate may include the public key of the root certificate of the second client device (that is, the second public key). After confirming that the first root certificate is legal, the first client device may Obtain the second public key from the first root certificate, and use the second public key to verify the first operation credential.
  • the first client device can decrypt the signature in the APP certificate (that is, the first operation certificate) by using the second public key to obtain the hash value of the APP certificate.
  • the first client device uses the same hash algorithm to Hash the signed APP certificate to obtain a hash value, and then compare the above two hash values. If they are the same, it is determined that the verification of the first operation credential passes, otherwise, it is determined that the verification of the first operation credential fails.
  • Step 306 when the first operation credential passes the verification, the first client device verifies the first signature information according to the first operation credential.
  • the above-mentioned step of verifying the first signature information according to the first operation credential includes:
  • the first signature information is verified according to the first public key of the second client device carried in the first operation certificate.
  • the above-mentioned APP certificate carries a first public key (also referred to as an APP public key) corresponding to the first private key.
  • the first client device may The first public key is obtained from the APP certificate, and then the first signature information is verified by using the first public key.
  • the first client device decrypts the first signature information (signature) by using the APP public key to obtain a hash value of the first random value, and in addition, uses the same hash algorithm to hash the first random value to obtain Hash value, compare the above two hash values, if they are the same, it is determined that the verification of the first signature information passes, otherwise, it is determined that the verification of the first signature information fails.
  • the first client device may also independently verify the first operation credential or the first signature information after the first root certificate passes the legality authentication; After the authentication, the first operation certificate is verified according to the first root certificate, or the first operation certificate is directly verified according to the first root certificate. If the first operation certificate passes the verification, it is considered that the first verification The information has passed the verification; or, the first client device may verify the first signature information directly according to the first operation credential after the first root certificate has passed the legality verification. If the verification is passed, it can be considered that the first verification information has passed the verification.
  • the first client device verifies the first operation credential and the first signature information after the first root certificate passes the validity authentication, or directly verifies the first operation credential and the first signature information.
  • the verification result of the user determines whether the first verification information passes the verification.
  • the first client device may verify the first operation credential according to the first root certificate, and at the same time, verify the first signature information according to the first operation credential. Once the signature information passes the verification, it is considered that the first verification information passes the verification.
  • Step 307 when the first verification information passes the verification, the first client device triggers the server device to open the authority to the second client device by configuring the trigger information.
  • the first client device when the first verification information passes the verification, the first client device can trigger configuration interaction between the server device and the second client device through the configuration trigger information, so that the server device can send the 2.
  • Client device open permissions.
  • Step 308 the server device receives the configuration trigger information sent by the first client device, and opens permissions to the second client device according to the configuration trigger information.
  • the first client device when it sends the configuration trigger information, it may send the first configuration trigger information to the second client device, and send the second configuration trigger information to the server device; wherein, The first configuration trigger information includes the activation token; the second configuration trigger information includes the activation token and the first operation credential.
  • the first client device may generate an activation token OT, and based on the activation token OT, send configuration trigger information to the server device and the second client device respectively, so as to trigger the server device to send the The process of opening permissions by the second client device.
  • the process could be as follows:
  • the second client device receives the first configuration trigger information sent by the first client device.
  • S308a2 The server device receives the second configuration trigger information sent by the first client device.
  • the second client device and the server device establish a second secure connection between the second client device and the server device according to the activation token.
  • the server device sends a second verification request to the second client device, where the second verification request includes the second random value, and accordingly, the second client device receives the second random value sent by the server device and includes the second random value A second verification request for the value.
  • the server device may send a second verification request including a second random value to the second client device through the above-mentioned second secure connection.
  • the second client device sends second verification information to the server device, and accordingly, the server device receives the second verification information;
  • the second verification information includes the first operation certificate and the fourth signature information, the fourth signature information is obtained by signing the second random value with the first private key.
  • the server device verifies the second verification information according to the first operation credential included in the second configuration trigger information.
  • the above-mentioned verification of the second verification information according to the first operation credential included in the second configuration trigger information includes:
  • the second signature information is verified according to the first operation certificate.
  • the server device may first compare the first operation certificate in the second verification information by using the first operation certificate notified by the first client device, If the two are consistent, the second signature information is verified through the first operation certificate.
  • the verification of the second signature information according to the first operation credential includes:
  • the second signature information is verified according to the first public key of the second client device carried in the first operation certificate.
  • the server device decrypts the second signature information through the APP public key to obtain a hash value of the second random value, and in addition, uses the same hash algorithm to hash the second random value to obtain a hash value, and compare If the above two hash values are the same, it is determined that the verification of the second signature information passes, otherwise, it is determined that the verification of the second signature information fails.
  • S308a7 After the second verification information passes the verification, the server device sends a certificate signing request to the second client device, and correspondingly, the second client device receives the certificate signing request sent by the server device.
  • the server device may send a certificate signing request to the second client device through the second secure connection.
  • the second client device performs rights configuration in the server device according to the certificate signing request.
  • the process of performing rights configuration in the server device by the second client device may include:
  • the access control authority information is configured in the access control list ACL of the server device, and the access control authority information includes an access control entry, the accessible data corresponding to the access control entry, and an entity that has the right to access the accessible data. , and authorized access methods.
  • the second client device when the first client device and the second client device belong to different IoT ecosystems, the second client device needs to request the authentication center in the IoT ecosystem where it is located to assign a device certificate , and configure the device certificate, the first root certificate and the access control authority information to the server device, so as to obtain the access control capability of the server device.
  • the server device receives the device certificate configured by the second client device, the first root certificate of the second client device, and the access control authority information.
  • FIG. 4 shows a schematic flowchart of a permission sharing process of a server device involved in an embodiment of the present application.
  • a ecological APP be the administrator of the lamp device Bulb
  • the process of adding B ecological APP as the administrator of Bulb is as follows:
  • a ecological APP sends a verification request to B ecological APP, and the request carries a random value nonce (ie, the above-mentioned first random value).
  • the B ecological APP signs the nonce with the (operational) private key (ie, the above-mentioned first private key), and returns the root certificate RC.B, the APP certificate OC.B.APP and the signature Signature to the A ecological APP.
  • the APP certificate is issued by the root certificate and is used to establish a control connection between the APP and the controlled device.
  • a ecological APP uses OC.B.APP to further verify the signature Signature, that is, using the APP (operation) public key in OC.B.APP (that is, the above-mentioned first public key) Verify signature.
  • a ecological APP generates a configuration token OT.
  • a ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the configuration token OT and OC.B.APP.
  • the B ecological APP generates a fabricID, and sends CSR.bulb and fabricID to the B ecological CA to request a device certificate.
  • the device certificate B.OC.bulb is generated and returned to the B ecological APP.
  • the B ecological APP configures the device certificate B.OC.bulb and the access control authority ACL.Bulb.B.APP1 to the Bulb.
  • the first client device when the first client device triggers the server device to open permissions to the second client device through the configuration trigger information, it sends third configuration trigger information to the server device; the second configuration trigger information contains the activation token and the first public key of the second client device.
  • the first client device may also send configuration trigger information to the server device based on the activation token OT, so as to trigger the process of the server device opening permissions to the second client device.
  • the process could be as follows:
  • the server device receives the third configuration trigger information sent by the first client device.
  • the server device encrypts the activation token according to the first public key, and obtains the encrypted activation token.
  • the server device sends the encrypted activation token to the second client device.
  • the second client device receives the encrypted activation token sent by the server device.
  • the second client device decrypts the encrypted activation token according to the first public key to obtain the activation token.
  • the second client device and the server device establish a third secure connection between the second client device and the server device according to the activation token.
  • the server device sends a certificate signing request to the second client device, and correspondingly, the second client device receives the certificate signing request sent by the server device.
  • the second client device performs rights configuration in the server device according to the certificate signing request.
  • FIG. 5 shows a schematic flowchart of a permission sharing process of a server device involved in an embodiment of the present application.
  • a ecological APP is the administrator of Bulb
  • B ecological APP is as follows:
  • a ecological APP sends a verification request to B ecological APP, and the request carries a random value nonce.
  • the B ecological APP signs the nonce with the (operation) private key, and returns the root certificate RC.B, the APP certificate OC.B.APP and the signature Signature to the A ecological APP.
  • the APP certificate is issued by the root certificate and is used to establish a control connection between the APP and the controlled device.
  • a ecological APP uses RC.B to verify OC.B.APP, that is, the signature of the APP certificate OC.B.APP is verified with the public key of the root certificate.
  • a ecological APP generates a configuration token OT.
  • a ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the configuration token OT and the (operational) public key PuK.B.APP of B ecological APP.
  • B ecological APP decrypts the (operation) private key to obtain OT, and both parties use OT to establish a secure connection.
  • B ecological APP sends CSR.bulb and fabricID to B ecological CA to request a device certificate. After B ecological CA certification, the device certificate B.OC.bulb is generated and returned to B ecological APP.
  • the B ecological APP configures the device certificate B.OC.bulb and the access control authority ACL.Bulb.B.APP1 to the Bulb.
  • the first client device before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
  • the first client device and the second client device may be uniformly authenticated through a unified platform, and authentication information may be issued respectively.
  • FIG. 6 shows a flowchart of a method for configuring rights in the Internet of Things provided by an embodiment of the present application.
  • the method can be executed interactively between a first client device, a second client device, and a server device.
  • the first client device and the second client device may be the client device 120 of the network architecture shown in FIG. 1
  • the server device may be the server device 110 of the network architecture shown in FIG. 1; the method It can include the following steps:
  • Step 601 Establish a first secure connection between the first client device and the second client device.
  • the APP of each IoT ecological environment has a pair of public and private keys for authentication and a pair of public and private keys for operation. After being certified by the unified certification platform, the APP of each IoT ecological environment will obtain the corresponding certification certificate DAC.B.APP and/or certification statement CD.B.APP. DAC.B.APP contains the public key used for authentication (ie, the subsequent second public key). DAC.B.APP or CD.B.APP can be used to verify the legitimacy of the APP.
  • Step 602 the first client device sends a first verification request to the second client device, where the first verification request includes a first random value; correspondingly, the second client device receives a verification request including the first random value. The first verification request.
  • Step 603 the second client device sends first verification information to the first client device, and accordingly, the first client device receives the first verification information;
  • the first verification information includes the second client device The first root certificate, the first operation certificate, the first authentication information, the second signature information and the third signature information;
  • the first operation certificate is issued by the first root certificate;
  • the first authentication information is issued by the unified authentication
  • the platform is issued after the second client device is authenticated, and the unified authentication platform is used to authenticate the first client device and the second client device;
  • the second signature information is passed through the second client device.
  • a private key is obtained by signing the first root certificate, the first operation certificate, and the unified authentication information;
  • the third signature is obtained by signing the first root certificate, the first root certificate, the first The operation certificate, the unified authentication information, and the second signature information are obtained by signing.
  • the above-mentioned first private key may be a private key used for operation in the second client device.
  • the above-mentioned second private key may be the private key of the root certificate of the second client device.
  • the first operation credential is issued through the second private key of the second client device.
  • the above-mentioned unified authentication platform is used to provide unified authentication for client devices in various IoT ecological environments, and return the authentication information to the corresponding client devices.
  • the unified authentication platform can send One client device provides a service of querying the validity of the authentication information of another client device.
  • Step 604 the first client device performs validity verification on the first authentication information.
  • the first client device may query the unified authentication platform for the first authentication information to obtain the validity verification result of the first authentication information.
  • the first client device may also verify the validity of the first authentication information in other ways. For example, the first client device queries the unified authentication platform for the authentication information of the second client device, and receives the unified authentication platform. The returned authentication information of the second client device is compared, and the authentication information returned by the unified authentication platform is compared with the above-mentioned first authentication information. If the two are consistent, it is confirmed that the first authentication information has passed the validity check.
  • Step 605 After the first authentication information passes the validity check, the first client device verifies the fourth signature information through the second public key corresponding to the second private key; the second public key carries in the first authentication information.
  • the first client device can obtain the second public key from the first authentication information, and use the second public key to perform verification on the fourth signature information. check.
  • Step 606 after the fourth signature information passes the verification, the first client device verifies the third signature information through the first public key corresponding to the first private key; the first public key is carried in the in the first operation certificate.
  • the first client device may obtain the first public key from the first operation certificate, and perform a verification process on the third signature information by using the first public key. check.
  • Step 607 when the first verification information passes the verification, the first client device triggers the server device to open the authority to the second client device by configuring the trigger information.
  • Step 608 The server device receives the configuration trigger information sent by the first client device, and opens the authority to the second client device according to the configuration trigger information.
  • FIG. 7 shows a schematic flowchart of a permission sharing process of a server device involved in an embodiment of the present application.
  • a ecological APP is the administrator of Bulb
  • B ecological APP is as follows:
  • the B ecological APP generates a QR code for pairing, and announces its existence in the network.
  • a ecological APP obtains the two-dimensional code information of B ecological APP by scanning the code, searches for B ecological APP on the network, and uses the information in the two-dimensional code to establish a secure connection.
  • a ecological APP sends a verification request to B ecological APP, and the request carries a random value nonce.
  • the ecological APP A uses the public key in OC.B.APP to verify the signature Signature1, that is, the signature is verified using the APP public key in OC.B.APP.
  • a ecological APP generates a configuration token OT.
  • a ecological APP sends an instruction to enable configuration to Bulb, and the instruction carries the configuration token OT and the public key of B ecological APP PuK.B.APP.
  • B ecological APP decrypts the OT with the private key, and the two parties use the OT to establish a secure connection.
  • the B ecological APP sends the CSR.bulb and fabricID to the B ecological CA to request the device certificate. After the B ecological CA is certified, the device certificate B.OC.bulb is generated and returned to the B ecological APP.
  • B ecological APP configures the device certificate B.OC.bulb, and access control authority ACL.Bulb.B.APP1 to Bulb.
  • the first client device before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
  • the above solution of the present application can solve the problem that the legality of the added control terminal APP cannot be confirmed during the process of adding the second ecological APP. Identity confirmation and legality verification.
  • FIG. 8 shows a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application.
  • the device has the function of implementing the above example of the permission configuration method in the Internet of Things, and the function can be implemented by hardware, or by executing corresponding software in hardware.
  • the apparatus may be the first client device described above, or may be set in the first client device.
  • the above-mentioned first client device has the management authority of the server device.
  • the apparatus may include:
  • a first verification request sending module 801, configured to send a first verification request to the second client device, where the first verification request includes a first random value
  • a first verification information receiving module 802 configured to receive first verification information sent by the second client device; the first verification information is generated based on the first random value;
  • a first verification module 803, configured to verify the first verification information
  • a configuration triggering module 804 is configured to trigger the server device to open permissions to the second client device through the configuration trigger information when the first verification information passes the verification.
  • the first verification information includes at least one of first signature information, a first root certificate of the second client device, and a first operation certificate;
  • the first signature The information is obtained by signing the target data with the first private key of the second client device;
  • the target data includes the first random value;
  • the first operation credential is issued by the first root certificate of.
  • the target data further includes at least one of the first root certificate and the first operation certificate.
  • the first verification module 803 is configured to, when the first verification information includes the first signature information, the first root certificate and the first operation certificate hour,
  • the first signature information is verified according to the first operation certificate.
  • the first verification module 803 is configured to perform the first operation on the first operation according to the second public key of the second client device carried in the first root certificate. Credentials are verified.
  • the first verification module 803 is configured to sign the first signature according to the first public key of the second client device carried in the first operation credential information for verification.
  • the first verification module 803 is configured to:
  • the first verification information further includes a query address
  • the first verification module 803 is configured to query the server corresponding to the query address for the first root certificate, and obtain the validity verification result of the first root certificate.
  • the first verification information includes a first root certificate, a first operation credential, first authentication information, second signature information, and third signature information of the second client device;
  • the first operation certificate is issued through the first root certificate;
  • the first authentication information is issued after the second client device is authenticated by the unified authentication platform, and the unified authentication platform is used to authenticate the second client device.
  • the first client device and the second client device are authenticated;
  • the second signature information is a pair of the first root certificate and the first operation credential through the first private key of the second client , the unified authentication information is signed;
  • the third signature is obtained by using the second private key of the second client to sign the first root certificate, the first operation certificate, the unified authentication information, the obtained by signing the second signature information.
  • the first verification module 803 is configured to:
  • the third signature information is verified by using the second public key corresponding to the second private key; the second public key is carried in the second public key. 1.
  • the authentication information In the authentication information;
  • the second signature information is verified by using the first public key corresponding to the first private key; the first public key is carried in the first operation in the certificate.
  • the configuration triggering module 804 is configured to:
  • the first configuration trigger information includes the configuration token
  • the second configuration trigger information includes the configuration token and the first operation credential.
  • the configuration triggering module 804 is configured to send third configuration trigger information to the server device; the third configuration trigger information includes the configuration token and the second configuration trigger The first public key of the client device.
  • the first client device and the second client device respectively belong to different IoT ecosystems.
  • the apparatus further includes:
  • a scanning module configured to scan the two-dimensional code displayed by the second client device to obtain connection establishment information of the second client device
  • a first connection establishment module configured to establish a first secure connection with the second client device according to the connection establishment information.
  • the first client device before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
  • FIG. 9 shows a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application.
  • the device has the function of implementing the above example of the permission configuration method in the Internet of Things, and the function can be implemented by hardware, or by executing corresponding software in hardware.
  • the apparatus may be the second client device described above, or may be set in the second client device. As shown in Figure 9, the apparatus may include:
  • the first random value receiving module 901 is configured to receive a first verification request sent by a first client device, where the first verification request includes a first random value; the first client device has the administrative rights;
  • the first verification information sending module 902 is configured to send the first verification information to the first client device, so that after the first client device passes the verification of the first verification information, the configuration triggers The information triggers the server device to open permissions to the second client device; the first verification information is generated based on the first random value.
  • the first verification information includes at least one of first signature information, a first root certificate of the second client device, and a first operation certificate;
  • the first signature The information is obtained by signing the target data with the first private key of the second client device;
  • the target data includes the first random value;
  • the first operation credential is issued by the first root certificate of.
  • the target data further includes at least one of the first root certificate and the first operation certificate.
  • the first verification information includes a first root certificate, a first operation credential, first authentication information, second signature information, and third signature information of the second client device;
  • the first operation certificate is issued through the first root certificate;
  • the first authentication information is issued after the second client device is authenticated by the unified authentication platform, and the unified authentication platform is used to authenticate the second client device.
  • the first client device and the second client device are authenticated;
  • the second signature information is a pair of the first root certificate and the first operation credential through the first private key of the second client , the unified authentication information is signed;
  • the third signature is obtained by using the second private key of the second client to sign the first root certificate, the first operation certificate, the unified authentication information, the obtained by signing the second signature information.
  • the apparatus further includes:
  • a first configuration trigger information receiving module configured to receive first configuration trigger information sent by the first client device, where the first configuration trigger information includes a configuration token
  • a second connection establishment module configured to establish a second secure connection with the server device according to the configuration token
  • a second verification request receiving module configured to receive a second verification request including a second random value sent by the server device
  • a second verification information sending module configured to send second verification information to the server device, where the second verification information includes the first operation certificate and fourth signature information, the fourth signature information is obtained by signing the second random value with the first private key;
  • a certificate request receiving module configured to receive a device certificate request sent by the server device, where the device certificate request is sent after the server device passes the verification of the second verification information
  • a rights configuration module configured to perform rights configuration in the server device according to the device certificate request.
  • the apparatus further includes:
  • an encrypted token receiving module configured to receive the encrypted configuration token sent by the server device
  • a decryption module configured to decrypt the encrypted configuration token according to the first public key of the second client device to obtain the configuration token
  • a third connection establishment module configured to establish a third secure connection with the server device according to the configuration token
  • a certificate request receiving module configured to receive a device certificate request sent by the server device
  • a rights configuration module configured to perform rights configuration in the server device according to the device certificate request.
  • the permission configuration module is used to:
  • the access control authority information is configured in the access control list ACL of the server device, and the access control authority information includes an access control entry, the accessible data corresponding to the access control entry, the right to access the The entities that can access the data, and how access is authorized.
  • the first client device and the second client device respectively belong to different IoT ecosystems.
  • the apparatus further includes:
  • a two-dimensional code display module used for displaying a two-dimensional code, the two-dimensional code carries the connection establishment information of the second client device;
  • a first connection establishment module configured to establish a first secure connection with the first client device according to the connection establishment information.
  • the first client device before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
  • FIG. 10 shows a block diagram of an apparatus for configuring permissions in the Internet of Things provided by an embodiment of the present application.
  • the device has the function of implementing the above example of the permission configuration method in the Internet of Things, and the function can be implemented by hardware, or by executing corresponding software in hardware.
  • the device can be the server device described above, or can be set in the server device.
  • the apparatus may include:
  • a configuration trigger information receiving module 1001 is configured to receive configuration trigger information sent by a first client device; the configuration trigger information is that the first client device sends a first verification message containing a first random value to a second client device.
  • a verification request receiving the first verification information sent by the second client device, and sending the verification after passing the verification of the first verification information; the first verification information is based on the first random value Generated;
  • the authority opening module 1002 is configured to open authority to the second client device according to the configuration trigger information.
  • the configuration trigger information is second configuration trigger information including a configuration token and the first operation credential
  • the permission opening module 1002 is used to:
  • a device certificate request is sent to the second client device, so that the second client device can perform authorization in the server device according to the device certificate request. configuration.
  • the permission opening module 1002 is configured to:
  • the permission opening module 1002 is configured to, according to the first public key of the second client device carried in the first operation credential, perform an operation on the second signature information. check.
  • the configuration trigger information is third configuration trigger information including a configuration token and a first public key of the second client device;
  • the permission opening module 1002 is used to:
  • a device certificate request is sent to the second client device, so that the second client device performs rights configuration in the server device according to the device certificate request.
  • the apparatus further includes:
  • a certificate and information receiving module configured to receive a device certificate configured by the second client device, a first root certificate of the second client device, and access control authority information;
  • the access control authority information is configured in the access control list ACL of the server device, and the access control authority information includes an access control entry, the accessible data corresponding to the access control entry, the right to access the The entities that can access the data, and how access is authorized.
  • the first client device before the first client device shares the authority of the server device with the second client device, it first triggers the second client device to return the verification information through the first random value, and then The verification information is verified to verify the legitimacy of the second client device. After verifying that the second client device is legal, the authority to the server device is shared with the second client device, thereby avoiding When the access control authority is shared with illegal client devices, the security of the access control authority sharing of the server device is improved.
  • the device provided in the above embodiment realizes its functions, only the division of the above functional modules is used as an example for illustration. In practical applications, the above functions can be allocated to different functional modules according to actual needs. That is, the content structure of the device is divided into different functional modules to complete all or part of the functions described above.
  • FIG. 11 shows a schematic structural diagram of an IoT device 1100 provided by an embodiment of the present application.
  • the IoT device 1100 may include: a processor 1101 , a receiver 1102 , a transmitter 1103 , a memory 1104 and a bus 1105 .
  • the processor 1101 includes one or more processing cores, and the processor 1101 executes various functional applications and information processing by running software programs and modules.
  • the receiver 1102 and the transmitter 1103 may be implemented as a communication component, which may be a communication chip.
  • the communication chip may also be referred to as a transceiver.
  • the memory 1104 is connected to the processor 1101 through the bus 1105 .
  • the memory 1104 can be used to store a computer program, and the processor 1101 is used to execute the computer program, so as to implement various steps performed by the terminal in the above method embodiments.
  • memory 1104 may be implemented by any type or combination of volatile or non-volatile storage devices including, but not limited to, magnetic or optical disks, electrically erasable and programmable Read Only Memory, Erasable Programmable Read Only Memory, Static Anytime Access Memory, Read Only Memory, Magnetic Memory, Flash Memory, Programmable Read Only Memory.
  • the IoT device includes a processor, a memory, and a transceiver (the transceiver may include a receiver and a transmitter, the receiver for receiving information and the transmitter for transmitting information);
  • the IoT device When the IoT device is implemented as the first client device,
  • the transceiver configured to send a first verification request to the second client device, where the first verification request includes a first random value
  • the transceiver configured to receive first verification information sent by the second client device; the first verification information is generated based on the first random value;
  • the processor configured to verify the first verification information
  • the transceiver is configured to trigger the server device to open permissions to the second client device by configuring trigger information when the first verification information passes the verification.
  • the IoT device When the IoT device is implemented as a second client device,
  • the transceiver is configured to receive a first verification request including a first random value sent by a first client device; the first client device has the management authority of the server device;
  • the transceiver is configured to send the first verification information to the first client device, so that after the first client device passes the verification of the first verification information, the configuration trigger information is used to trigger the
  • the server device opens permissions to the second client device; the first verification information is generated based on the first random value.
  • the IoT device involved in this embodiment of the present application can execute all the functions performed by the second client device in the permission configuration method in the IoT shown in FIG. 2 , FIG. 3 , or FIG. 6 above. Or some steps will not be repeated here.
  • the IoT device When the IoT device is implemented as a server device,
  • the transceiver is configured to receive configuration trigger information sent by a first client device; the configuration trigger information is that the first client device sends a first verification request including a first random value to a second client device , receive the first verification information sent by the second client device, and send the verification information after passing the verification of the first verification information; the first verification information is generated based on the first random value ;
  • the processor is configured to open a permission to the second client device according to the configuration trigger information.
  • the IoT device involved in the embodiment of the present application is implemented as a server device, all or part of the steps performed by the server device in the permission configuration method in the IoT shown in FIG. 2 , FIG. 3 or FIG. 6 may be performed, It will not be repeated here.
  • Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is loaded and executed by a processor to implement the above-mentioned thing shown in FIG. 2 , FIG. 3 or FIG. 6 .
  • the internal latter part of the steps are performed by the first client device, the second client device or the server device.
  • the present application also provides a chip, which is used to run in an Internet of Things device, so that the Internet of Things device executes the permission configuration method in the Internet of Things.
  • the first client device, the second client device or the service The internal latter part of the steps performed by the end device.
  • the application also provides a computer program product, the computer program product or computer program comprising computer instructions stored in a computer-readable storage medium.
  • the processor of the Internet of Things device reads the computer instruction from the computer-readable storage medium, and the processor executes the computer instruction, so that the Internet of Things device executes the permission configuration method in the Internet of Things.
  • the internal latter part of the steps performed by the client device or the server device.
  • the present application also provides a computer program, the computer program is executed by the processor of the Internet of Things device, so as to realize that in the above-mentioned rights configuration method in the Internet of Things, the first client device, the second client device or the server device The internal latter part of the steps are performed.
  • Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • a storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

La présente demande appartient au domaine technique de l'internet des objets. L'invention concerne un procédé et un appareil de configuration d'autorisation dans l'internet des objets, un dispositif, et un support de stockage. Ledit procédé est exécuté par un premier dispositif client, et le premier dispositif client a une autorisation de gestion pour un dispositif serveur. Ledit procédé consiste à : envoyer à un second dispositif client une première demande de vérification comprenant une première valeur aléatoire ; recevoir des premières informations de vérification envoyées par le second dispositif client, les premières informations de vérification étant générées sur la base de la première valeur aléatoire ; vérifier les premières informations de vérification ; et lorsque les premières informations de vérification réussissent la vérification, déclencher, au moyen d'informations de déclenchement de configuration, le dispositif serveur pour donner une autorisation au second dispositif client. Cette solution permet d'éviter une situation dans laquelle une autorisation de contrôle d'accès pour un dispositif serveur est partagée avec un dispositif client invalide, ce qui améliore la sécurité de partage d'autorisation de contrôle d'accès du dispositif serveur.
PCT/CN2021/076574 2021-02-10 2021-02-10 Procédé et appareil de configuration d'autorisation dans l'internet des objets, dispositif, et support de stockage WO2022170583A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2021/076574 WO2022170583A1 (fr) 2021-02-10 2021-02-10 Procédé et appareil de configuration d'autorisation dans l'internet des objets, dispositif, et support de stockage
CN202180070751.9A CN116325661A (zh) 2021-02-10 2021-02-10 物联网中的权限配置方法、装置、设备及存储介质

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/076574 WO2022170583A1 (fr) 2021-02-10 2021-02-10 Procédé et appareil de configuration d'autorisation dans l'internet des objets, dispositif, et support de stockage

Publications (1)

Publication Number Publication Date
WO2022170583A1 true WO2022170583A1 (fr) 2022-08-18

Family

ID=82838109

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/076574 WO2022170583A1 (fr) 2021-02-10 2021-02-10 Procédé et appareil de configuration d'autorisation dans l'internet des objets, dispositif, et support de stockage

Country Status (2)

Country Link
CN (1) CN116325661A (fr)
WO (1) WO2022170583A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916637A (zh) * 2014-04-15 2014-07-09 浙江宇视科技有限公司 一种安全地共享监控前端设备的方法和装置
CN106471784A (zh) * 2014-08-06 2017-03-01 谷歌公司 设备访问控制
KR101870786B1 (ko) * 2016-12-29 2018-06-26 금오공과대학교 산학협력단 소셜 프레임워크를 통한 사물 인터넷 서비스 제공 방법 및 이를 실행하는 서버
CN108616531A (zh) * 2018-04-26 2018-10-02 深圳市盛路物联通讯技术有限公司 一种射频信号安全通信方法及系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916637A (zh) * 2014-04-15 2014-07-09 浙江宇视科技有限公司 一种安全地共享监控前端设备的方法和装置
CN106471784A (zh) * 2014-08-06 2017-03-01 谷歌公司 设备访问控制
KR101870786B1 (ko) * 2016-12-29 2018-06-26 금오공과대학교 산학협력단 소셜 프레임워크를 통한 사물 인터넷 서비스 제공 방법 및 이를 실행하는 서버
CN108616531A (zh) * 2018-04-26 2018-10-02 深圳市盛路物联通讯技术有限公司 一种射频信号安全通信方法及系统

Also Published As

Publication number Publication date
CN116325661A (zh) 2023-06-23

Similar Documents

Publication Publication Date Title
CN110770695B (zh) 物联网(iot)设备管理
JP6508688B2 (ja) エンドツーエンドサービス層認証
JP6595631B2 (ja) サービス層におけるコンテンツセキュリティ
RU2414086C2 (ru) Аутентификация приложения
US10257161B2 (en) Using neighbor discovery to create trust information for other applications
US8724515B2 (en) Configuring a secure network
TWI558253B (zh) 進行用戶認證的計算機執行方法及使用用戶識別碼得到存取目標域處服務的方法
WO2019153701A1 (fr) Procédé et appareil d'obtention d'identification de dispositif
JP2019088026A (ja) 公開キー機構を用いたサービス層におけるエンドツーエンド認証
US11736304B2 (en) Secure authentication of remote equipment
JP2016540462A (ja) 鍵コンフィギュレーション方法、システム、および装置
JP2006203936A (ja) セキュア通信をイニシャライズし、装置を排他的にペアリングする方法、コンピュータ・プログラムおよび装置
US9154483B1 (en) Secure device configuration
Xu et al. BE-RAN: Blockchain-enabled open RAN with decentralized identity management and privacy-preserving communication
WO2022100356A1 (fr) Système, procédé et appareil d'authentification d'identité, dispositif et support de stockage lisible par ordinateur
WO2019051776A1 (fr) Procédé et dispositif de transmission de clé
WO2023083170A1 (fr) Procédé et appareil de génération de clé, dispositif terminal et serveur
WO2022001225A1 (fr) Procédé d'application de justificatif d'identité, procédé d'authentification d'identité, dispositif et appareil
EP3340530B1 (fr) Procédé basé sur la sécurité de couche de transport pour générer et utiliser une identité de noeud persistant unique et client et serveur correspondant
US20230107045A1 (en) Method and system for self-onboarding of iot devices
WO2022170583A1 (fr) Procédé et appareil de configuration d'autorisation dans l'internet des objets, dispositif, et support de stockage
WO2022048125A1 (fr) Procédé et appareil de de traitement d'informations, dispositif et support de stockage
CN117014844A (zh) 通信方法、电子设备和存储介质
Sivakumar Analysis of Ad-Hoc Network Security using Zero knowledge Proof and Wi-Fi Protected Access 2

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21925245

Country of ref document: EP

Kind code of ref document: A1