WO2023015462A1 - 用于连接建立的方法、装置、设备及存储介质 - Google Patents
用于连接建立的方法、装置、设备及存储介质 Download PDFInfo
- Publication number
- WO2023015462A1 WO2023015462A1 PCT/CN2021/111908 CN2021111908W WO2023015462A1 WO 2023015462 A1 WO2023015462 A1 WO 2023015462A1 CN 2021111908 W CN2021111908 W CN 2021111908W WO 2023015462 A1 WO2023015462 A1 WO 2023015462A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- token
- cloud
- server device
- information
- server
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 141
- 238000003860 storage Methods 0.000 title claims abstract description 22
- 238000012795 verification Methods 0.000 claims description 83
- 238000004590 computer program Methods 0.000 claims description 21
- 230000004044 response Effects 0.000 claims description 16
- 230000005540 biological transmission Effects 0.000 claims description 9
- 238000007726 management method Methods 0.000 description 44
- 230000008569 process Effects 0.000 description 33
- 238000010586 diagram Methods 0.000 description 14
- 230000006870 function Effects 0.000 description 14
- 238000004891 communication Methods 0.000 description 7
- 239000004744 fabric Substances 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000012790 confirmation Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 240000007594 Oryza sativa Species 0.000 description 1
- 235000007164 Oryza sativa Nutrition 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000002716 delivery method Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 235000009566 rice Nutrition 0.000 description 1
- 238000000060 site-specific infrared dichroism spectroscopy Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000010408 sweeping Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y10/00—Economic sectors
- G16Y10/75—Information technology; Communication
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y30/00—IoT infrastructure
- G16Y30/10—Security thereof
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Definitions
- the present application relates to the technical field of the Internet of Things, and in particular to a method, device, device and storage medium for connection establishment.
- server devices can be managed and controlled by configuring devices.
- the server device may perform network configuration by configuring the device, so that the server device can access the network. Then, the server device establishes a network connection with the configuration device, and accepts the management and control of the configuration device based on the network connection.
- Embodiments of the present application provide a method, device, device, and storage medium for connection establishment.
- the solution can improve the convenience of management and control of the server device. Described technical scheme is as follows:
- an embodiment of the present application provides a method for establishing a connection, the method is executed by a configuration device, and the method includes:
- the token information is used to establish a secure session based on certificate authentication between the server device and the cloud device to establish a CASE connection.
- an embodiment of the present application provides a method for establishing a connection, the method is executed by a server device, and the method includes:
- a CASE connection is established with the cloud device based on the certificate authentication security session according to the token information.
- an embodiment of the present application provides a method for establishing a connection, the method is executed by a cloud device, and the method includes:
- a CASE connection is established with the server device based on the token information to establish a secure session based on certificate authentication.
- an embodiment of the present application provides an apparatus for establishing a connection, the apparatus is used in configuring a device, and the apparatus includes:
- a token acquisition module configured to obtain the token information of the server device from the cloud device after establishing a connection with the server device
- a token sending module configured to send the token information to the server device, and the token information is used to establish a certificate authentication-based secure session between the server device and the cloud device to establish a CASE connection.
- an embodiment of the present application provides an apparatus for establishing a connection, the apparatus is used in a server device, and the apparatus includes:
- a token receiving module configured to receive the token information sent by the configuration device, the server device; the token information obtained by the configuration device from the cloud device;
- a connection establishment module configured to establish a CASE connection based on a certificate-authenticated security session with the cloud device according to the token information.
- an embodiment of the present application provides an apparatus for establishing a connection, the apparatus is used in a cloud device, and the apparatus includes:
- a token sending module configured to send the token information of the server device to the configuration device; the token information is sent by the configuration device to the server device;
- a connection establishment module configured to establish a CASE connection based on a secure session based on certificate authentication with the server device according to the token information.
- an embodiment of the present application provides an Internet of Things device, the Internet of Things device is implemented as a configuration device, and the Internet of Things device includes a processor, a memory, and a transceiver;
- the transceiver is used to obtain the token information of the server device from the cloud device after establishing a connection with the server device;
- the transceiver is further configured to send the token information to the server device, and the token information is used to establish a secure session based on certificate authentication between the server device and the cloud device to establish a CASE connection .
- an embodiment of the present application provides an Internet of Things device, the Internet of Things device is implemented as a server device, and the Internet of Things device includes a processor, a memory, and a transceiver;
- the transceiver is configured to receive the token information of the server device sent by the configuration device; the token information is obtained by the configuration device from the cloud device;
- the transceiver is further configured to establish a CASE connection with the cloud device based on a certificate-authenticated secure session based on the token information.
- an embodiment of the present application provides an Internet of Things device, the Internet of Things device is implemented as a cloud device, and the Internet of Things device includes a processor, a memory, and a transceiver;
- the transceiver is configured to send the token information of the server device to the configuration device; the token information is sent by the configuration device to the server device;
- the transceiver is further configured to establish a CASE connection with the server device according to the token information to establish a secure session based on certificate authentication.
- an embodiment of the present application provides an Internet of Things device, the Internet of Things device includes a processor, a memory, and a transceiver, the memory stores a computer program, and the computer program is used to be executed by the processor , to implement the above method for connection establishment.
- an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is loaded and executed by a processor to implement the foregoing connection establishment method.
- the present application also provides a chip, which is configured to run in an Internet of Things device, so that the Internet of Things device executes the above method for establishing a connection.
- the present application provides a computer program product comprising computer instructions stored in a computer readable storage medium.
- the processor of the Internet of Things device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the Internet of Things device executes the above method for connection establishment.
- the present application provides a computer program, which is executed by a processor of an Internet of Things device, so as to implement the above method for establishing a connection.
- the configuration device can apply for the token information corresponding to the server device from the cloud device, and then send the token information to the server device, so that the server device can establish a CASE with the cloud device Connection, the subsequent server device can receive remote management and control of the cloud device or other user devices connected to the cloud device through the CASE connection with the cloud device, thus greatly expanding the management and control of the server device. Scenarios improve the convenience of management and control of server devices.
- FIG. 1 is a schematic diagram of a network architecture of the Internet of Things provided by an embodiment of the present application
- FIG. 2 is a flowchart of a method for connection establishment provided by an embodiment of the present application
- FIG. 3 is a flowchart of a method for connection establishment provided by an embodiment of the present application.
- FIG. 4 is a flowchart of a method for connection establishment provided by an embodiment of the present application.
- FIG. 5 is a flowchart of a method for connection establishment provided by an embodiment of the present application.
- Fig. 6 is a sequence diagram of establishing a CASE connection involved in the embodiment shown in Fig. 5;
- FIG. 7 is a flowchart of a method for connection establishment provided by an embodiment of the present application.
- Fig. 8 is a sequence diagram of establishing a CASE connection involved in the embodiment shown in Fig. 7;
- FIG. 9 is a block diagram of an apparatus for connection establishment provided by an embodiment of the present application.
- FIG. 10 is a block diagram of an apparatus for connection establishment provided by an embodiment of the present application.
- FIG. 11 is a block diagram of a device for connection establishment provided by an embodiment of the present application.
- Fig. 12 is a schematic structural diagram of an IoT device provided by an embodiment of the present application.
- the network architecture and business scenarios described in the embodiments of the present application are for more clearly illustrating the technical solutions of the embodiments of the present application, and do not constitute limitations on the technical solutions provided by the embodiments of the present application.
- the evolution of the technology and the emergence of new business scenarios, the technical solutions provided in the embodiments of this application are also applicable to similar technical problems.
- FIG. 1 shows a schematic diagram of a network architecture of the Internet of Things provided by an embodiment of the present application.
- the network architecture of the Internet of Things may include: a server device 110, a configuration device 120; optionally, the network architecture may also include a gateway device 130, a cloud server 140, etc.;
- the server device 110 may be a device for providing functional services of the Internet of Things.
- the server device 110 may be a smart home device, such as a smart lamp, a smart TV, a smart air conditioner, a smart refrigerator, a smart microwave oven, a smart rice cooker, a sweeping robot, and the like.
- a smart home device such as a smart lamp, a smart TV, a smart air conditioner, a smart refrigerator, a smart microwave oven, a smart rice cooker, a sweeping robot, and the like.
- the server device 110 may be an industrial production device, such as a lathe, an industrial robot, a solar panel, a wind generator, and the like.
- the server device 110 may be a commercial service device, for example, an unmanned vending machine or the like.
- the server device 110 may be an intelligent monitoring device, for example, a monitoring camera, an infrared sensor, a sound sensor, a temperature sensor, and the like.
- the configuration device 120 is a terminal device on the user side.
- the client device may be a smart phone, a tablet computer, a smart watch, a smart TV, etc.; or, the client device may also be a personal computer, such as a desktop computer, a laptop computer, a personal workstation, and the like.
- the configuration device 120 is a client entity (which may be a virtual entity) running on a terminal device, for example, the configuration device 120 may run on a terminal device to access the server device , control, and management applications (Application, APP).
- client entity which may be a virtual entity
- APP application, APP
- the gateway device 130 is a network device that realizes network interconnection above the network layer, and is also called a gateway, a protocol converter, and the like.
- the gateway device 130 provides network connection services for the server device 110 .
- the gateway device 130 may be a professional gateway, such as a home gateway, or the gateway device 130 may also be an access device with a gateway function, such as a router with a gateway function.
- the gateway device 130 may also be implemented as the configuration device 120 .
- the cloud server 140 is a server deployed on the network side.
- the above-mentioned server device 110, configuration device 120, gateway device 130, and cloud server 140 may be Internet of Things devices that meet industry standards.
- CHIP Home over IP Working Group
- a secure connection may be established between the server device 110 and the configuration device 120, for example, a secure connection may be established based on the CHIP specification.
- the server device 110 is connected to the gateway device 130 through a wired or wireless network, and the cloud server 140 may be connected to the gateway device 130 and the configuration device 120 through a wired or wireless network.
- the aforementioned wired or wireless network uses standard communication technologies and/or protocols.
- the aforementioned wired or wireless network may be a communication network based on the Internet of Things (IoT) protocol.
- IoT Internet of Things
- FIG. 2 shows a flow chart of a method for connection establishment provided by an embodiment of the present application.
- the method can be executed by a configuration device.
- the configuration device can be the configuration of the network architecture shown in FIG. 1 Device 120; the method may include the following steps:
- Step 201 acquire the token information of the server device from the cloud device.
- the configuration device can obtain the token information of the server device from the cloud device.
- connection between the configuration device and the server device may be a Certificate Authenticated Session Establishment (CASE) connection based on certificate authentication.
- CASE Certificate Authenticated Session Establishment
- the CASE connection is a session connection that securely encapsulates data packets based on the Transmission Control Protocol (Transmission Control Protocol, TCP) or the User Datagram Protocol (User Datagram Protocol, UDP). Based on the realization of more secure data transmission.
- TCP Transmission Control Protocol
- UDP User Datagram Protocol
- a user account may be registered in the configuration device, and the user account may be a user account obtained by pre-registering with the cloud device.
- the configuration device logged in with the user account may have the authority to perform information interaction related to the Internet of Things with the cloud device. For example, access to the cloud device, manage or control the server device under the management of the cloud device, and assist in establishing a connection between the server device and the cloud device, etc.
- the configuration device when assisting in establishing a connection between the server device and the cloud device, after the connection between the configuration device and the server device is established, the configuration device can apply to the cloud device for the token information corresponding to the server device .
- Step 202 sending token information to the server device; the token information is used to establish a secure session based on certificate authentication between the server device and the cloud device to establish a CASE connection.
- the server device may receive the token information through a connection established with the configuration device (such as a CASE connection with the configuration device).
- the configuration device After the configuration device obtains the token information corresponding to the server device from the cloud device, it can send the token information to the server device, and the subsequent server device can establish a secure connection with the cloud device based on the token information. That is the above CASE connection.
- the configuration device can apply for the token information corresponding to the server device from the cloud device, and then send the token information to the server device, so that the server device can establish a CASE connection with the cloud device, and the subsequent server device can receive remote management and control of the cloud device or other user devices connected to the cloud device through the CASE connection with the cloud device, thereby It greatly expands the management and control scenarios of server devices, and improves the convenience of management and control of server devices.
- the solution involved in this application can provide the security of the connection between the server device and the cloud device, thereby improving the acceptance of the server device. Security of management or control of cloud devices.
- FIG. 3 shows a flow chart of a method for establishing a connection provided by an embodiment of the present application.
- the method can be executed by a server device.
- the server device can be the network architecture shown in FIG. 1
- the server device 110; the method may include the following steps:
- Step 301 receiving the token information of the server device sent by the configuration device; the token information is obtained by the configuration device from the cloud device.
- step 301 may be performed after the server device establishes a connection (such as a CASE connection) with the configuration device.
- a connection such as a CASE connection
- Step 302 establish a CASE connection with the cloud device based on the certificate authentication security session according to the token information.
- the configuration device can apply for the token information corresponding to the server device from the cloud device, and then send the token information to the server device, so that the server device can establish a CASE connection with the cloud device, and the subsequent server device can receive remote management and control of the cloud device or other user devices connected to the cloud device through the CASE connection with the cloud device, thereby It greatly expands the management and control scenarios of server devices, and improves the convenience of management and control of server devices.
- the solution involved in this application can provide the security of the connection between the server device and the cloud device, thereby improving the acceptance of the server device. Security of management or control of cloud devices.
- FIG. 4 shows a flow chart of a method for connection establishment provided by an embodiment of the present application.
- the method can be executed by a cloud device.
- the cloud device can be the cloud of the network architecture shown in FIG. 1 Server 140; the method may include the following steps:
- Step 401 sending the token information of the server device to the configuration device; so that the configuration device sends the token information to the server device.
- step 401 may be performed after the server device establishes a connection (such as a CASE connection) with the configuration device.
- Step 402 establish a CASE connection with the server device based on the certificate authentication security session according to the token information.
- the configuration device can apply for the token information corresponding to the server device from the cloud device, and then send the token information to the server device, so that the server device can establish a CASE connection with the cloud device, and the subsequent server device can receive remote management and control of the cloud device or other user devices connected to the cloud device through the CASE connection with the cloud device, thereby It greatly expands the management and control scenarios of server devices, and improves the convenience of management and control of server devices.
- the solution involved in this application can provide the security of the connection between the server device and the cloud device, thereby improving the acceptance of the server device. Security of management or control of cloud devices.
- the server device may directly establish a secure connection with the cloud device.
- FIG. 5 shows a flow chart of a method for establishing a connection provided by an embodiment of the present application.
- the method can be executed interactively between the configuration device, the server device, and the cloud device; the method can include the following steps:
- step 501 the configuration device establishes a connection with the server device.
- a secure connection may be established between the configuration device and the server device, for example, a CASE connection may be established.
- the step of establishing a secure connection between the configuration device and the server device may include the following steps.
- Step A Scan code for pairing.
- Step A1 the server device (device) provides the QR code, and the commissioner obtains the personal identification code (Personal Identification Number code, PIN code), Rendezvous mode and other information of the device by scanning the device QR code to the configuration device.
- the server device provides the QR code
- the commissioner obtains the personal identification code (Personal Identification Number code, PIN code), Rendezvous mode and other information of the device by scanning the device QR code to the configuration device.
- Step A2 configure the device to establish a corresponding mode connection with the server device according to the Rendezvous mode provided by the device.
- Step A3 After the configuration device establishes a connection with the server device, the server device enters the waiting state for pairing; the configuration device sends a Password-Based Key Derivation Function (PBKDF) parameter request, and the server device receives the request Post-process and return the PBKDF response; the configuration device sends the spake2+pake1 message to the server device after receiving the PBKDF response; the server device processes the spake1 message after receiving it, and sends the spake2+pake2 message to the configuration device; the configuration device receives the pake2 message After processing, send the spake2+pake3 message to the server device to establish a password authenticated session establishment (Password Authenticated Session Establishment, PASE) session based on key authentication; the server device receives the pake3 message to process and establish a PASE session.
- PASE password authenticated Session Establishment
- Step B Network distribution and Domain Name System (Domain Name System, DNS) service discovery (DNS Service Discovery, DNS-SD).
- DNS Domain Name System
- step B1 the configuration device establishes a secure session based on key authentication with the server device. After the PASE connection is established, the configuration device starts to perform device authentication on the server device.
- TLV Tag-Length-Value
- Step B2 after the server device is successfully authenticated, the configuration device sends a root certificate (Root Certificate Authority, Root CA) to the server device, where the Root CA of the configuration device is issued by its ecology; after receiving the root certificate, the server device sends The root certificate receives a successful confirmation message to the configuration device; then the configuration device creates the nonce requested by the Operational Certificate Signing Request (OpCSR), and sends a request to the server device to obtain the OpCSR, carrying the nonce data, and the server device receives it After the request, generate the corresponding interoperability key pair, create the TLV structure of the OpCSR corresponding data, and then send the data to the configuration device; then configure the device to perform OpCSR authentication according to the received data; finally configure the device to pass the OpCSR authentication.
- the server device generates an interoperability certificate and sends the certificate to the server device. After receiving the certificate, the server device returns a confirmation message to the configuration device.
- Step B3 after the server device is authenticated, configure the device to start the network configuration operation for the server device, and send the network access credential information to the server device, including the service set identifier (Service Set Identifier, SSID) and password (Password, PWD),
- the server device automatically connects to the network after receiving the network access certificate; after the server device is successfully connected to the network, the configuration device and the server device exit the PASE session; the server device publishes its own domain name information through DNS-SD, and the configuration device discovers services through DNS-SD end device, and establish an IP-based connection with the server device.
- Step C Establish a CASE session.
- the server device After the configuration device establishes an IP-based connection with the server device, the server device waits for the CASE session to be established, the configuration device sends a SigmaR1 message to the server device, the server device processes the message after receiving the SigmaR1 message, and sends a SigmaR2 message to the configuration device ; Configure the device to process after receiving the SigmaR2 message, and send a SigmaR3 message to the server device, and then establish a CASE session; the server device processes after receiving the SigmaR3 message, and then establish a CASE session.
- Step 502 the configuration device obtains the token information of the server device from the cloud device, and correspondingly, the cloud device sends the token information of the server device to the configuration device.
- the configuration device after the configuration device establishes a connection with the server device, or during the process of establishing a connection between the configuration device and the server device, when the configuration device obtains the token information of the server device from the cloud device, it can send The cloud device sends a token acquisition request, and the token acquisition request includes the first verification information; correspondingly, the cloud device receives the token acquisition request sent by the configuration device; after that, the cloud device performs verification according to the first verification information; After the first verification information is verified, the token information is sent to the configuration device.
- the configuration device obtains the token information sent by the cloud device after the verification of the first verification information is passed.
- the token acquisition request sent by the configuration device to the cloud device may include the first authentication information, the cloud device can verify the token acquisition request through the first verification information, and when the verification is passed, the cloud device can generate token information for the server device, and send the generated token information to the configuration device.
- the first verification information includes at least one of user information of the configuration device and a fabric ID (Fabric Identity, Fabric ID) of the server device.
- a fabric ID Fabric Identity, Fabric ID
- the structure ID is generated for the server device based on the root certificate of the cloud device.
- the structure ID is used for the cloud device to obtain a verification result, and the verification result is used to indicate whether the structure ID is generated according to the root certificate of the cloud device.
- the verification process of the cloud device according to the first verification information may include:
- the first verification information includes user information configuring the device, verify whether the user information is legal;
- the first verification information includes the structure ID of the server device, verify whether the structure ID matches the root certificate of the cloud device.
- the cloud device may obtain a verification result based on the structure ID, and the verification result is used to indicate whether the structure ID is generated according to the root certificate.
- the user corresponding to the user account logged in on the configuration device may register and bind to the cloud device in advance, and during this process, the cloud device may store corresponding user information.
- the cloud device can also issue its own root certificate to the configuration device that logs in to the user account, and the configuration device can generate a structure ID corresponding to the root certificate of the cloud device. There is a corresponding relationship between certificates.
- the configuration device can generate a structure ID for the server device according to the root certificate of the cloud device.
- the fabric ID matches the chip-fabric-id in the cloud device's root certificate.
- the configuration device may send at least one item of user information and structure ID as the first verification information in the token acquisition request.
- the cloud device can first verify the user information to verify whether the user information is legal information registered in the cloud. After the user information is verified, the cloud device can then Verify the structure ID to verify whether the structure ID matches the root certificate of the cloud device, for example, compare the structure ID with the root certificate of the cloud device to obtain a verification result, which is used to indicate whether the structure ID is Generated according to the above root certificate; if yes, determine that the verification of the first verification information passes; otherwise, determine that the verification fails.
- the configuration device may acquire the token information of the server device from the cloud device after the configuration of the server device is completed.
- the server device after a secure session based on key authentication is established between the server device and the configuration device to establish a PASE connection, the server device is authenticated successfully, and the interoperability certificate signing request OpCSR operation is successful, and after Before the server device completes the network configuration, configure the device to obtain the token information of the server device from the cloud device.
- the server device when the server device establishes a connection with the configuration device, before the server device completes the network configuration, as long as the interoperability certificate signature between the server device and the configuration device requests the OpCSR operation If the configuration is successful, the device can initiate the process of requesting the token information of the server device from the cloud device. There is no need to wait for the network configuration of the server device to complete. After the network configuration of the subsequent server device is completed, CASE can be established with the cloud device in time. Connection, thereby reducing the time for establishing a CASE connection between the server device and the cloud device, and improving the efficiency of establishing a CASE connection between the server device and the cloud device.
- the token information includes the device token.
- the device token is used to verify the authority of the server device to establish a CASE connection with the cloud device during the process of establishing a CASE connection between the server device and the cloud device.
- the token information also includes at least one of the refresh token and the address of the cloud device;
- the refresh token is used to refresh the device token.
- the device token of the server device usually has a certain timeliness.
- a device token is issued together with a refresh token, which is used to update an expired device token, thereby reducing the interaction steps of token issuance, saving network resources, and improving token issuance efficiency.
- the token acquisition request further includes a device identification ID of the server device; the device ID is information based on which the cloud device generates the device token and/or the refresh token.
- the process of sending the token information to the configuration device may include:
- the cloud device after the cloud device passes the verification of the token acquisition request according to the first verification information, the cloud device can generate the token information and/or refresh the token information in the token information corresponding to the server device according to the device ID. token.
- the cloud device may add the device ID or derivative information of the device ID (such as a hash value of the device ID) to the device token and/or the refresh token.
- the device ID or derivative information of the device ID such as a hash value of the device ID
- the cloud device may also store the device ID and the generated token information correspondingly.
- the cloud device uses the device ID (Node ID), optionally, combined with the data connected by the structure ID (Fabric ID), timeout time, and Nonce (random number), an encrypted signature algorithm is used to generate the length
- An Octet String of 8 or 16 is used as the above-mentioned device token (token); subsequent cloud devices can verify the token sent by the server device according to the signature algorithm, and can confirm whether the token is issued by the cloud to the corresponding server device the token.
- the refresh token is generated by the cloud device for the corresponding Node ID; if the token expires, the server device can use the refresh token to request a new token.
- Step 503 the configuration device sends token information to the server device, and the server device receives the token information.
- the configuration device after the configuration device obtains the token information issued by the cloud device, it can send the token information to the server device.
- the process of configuring the device to send token information to the server device may include:
- the write operation message is used to instruct the server device to write the token information into the attribute information in the model information cluster.
- the process for the server device to receive the token information sent by the configuration device may include:
- a cluster (cluster) of a system model or a device management model can be set in the server device, and the cluster can be used to store token information issued by the cloud device.
- the configuration device obtains the token information of the server device from the cloud device, it can instruct the server device to write the token information into the cluster in the server device.
- the server device writes the token information into the cluster in the server device.
- the model information cluster in the server device includes attributes corresponding to each item of information in the token information, and the server device writes each item of information in the token information into the corresponding attributes.
- key attributes such as cloud address attributes, token (token) attributes, and refresh token attributes can be stored in the above cluster.
- the server device writes the device token in the token information into the token attribute, writes the refresh token in the token information into the refresh token attribute, and writes the address of the cloud device in the token information into the cloud address Attributes.
- the above attributes include information such as their respective attribute names, attribute types, and attribute values, wherein the attribute values include corresponding attribute content, for example, the attribute value of the cloud address attribute is the address of the cloud device; the attribute value of the token attribute is the device token, and the attribute value of the refresh token attribute is the refresh token.
- Attribute there are at least three key attribute (Attribute) information in the model information cluster (Cluster) in the cloud device.
- the Attribute type of the cloud address attribute is String (string type), described as Cloud URL, and the attribute value is an attribute of the address or domain name of the cloud device
- the Attribute type of the token attribute is Octet String, described as Cloud token
- the attribute value is cloud
- the Attribute type of the refresh token attribute is Octet String, the description is Cloud refresh token
- the attribute value is the refresh token sent by the cloud device.
- Step 504 the server device establishes a CASE connection with the cloud device based on the certificate authentication security session according to the token information.
- the server device after the server device obtains the token information, it can initiate a connection establishment process to the cloud device according to the token information.
- the process of establishing a secure session based on certificate authentication according to the token information between the server device and the cloud device to establish a CASE connection can be as follows:
- Step 504a the server device sends a first connection establishment request to the cloud device, and the cloud device receives the first connection establishment request sent by the server device; wherein, the first connection establishment request includes the first connection establishment message SigmaR1, and the server device The device token for .
- the above-mentioned device token is used for the cloud device to verify the connection establishment request sent by the server device.
- the server device may send the first connection establishment request including SigmaR1 and the device token to the cloud device.
- the server device may establish a TCP connection or a UDP connection with the cloud device according to the address of the cloud device.
- the first connection establishment request can be transmitted between the server device and the cloud device through the TCP/UDP connection.
- the reliable message protocol (Connected Home over IP Working Group Reliable Message Protocol, CRMP) that connects the home working group through IP can be used to ensure Reliability of data transmission.
- CRMP Connected Home over IP Working Group Reliable Message Protocol
- Step 504b after the cloud device passes the verification of SigmaR1 through the device token, it returns the second connection establishment message SigmaR2 to the server device according to SigmaR1, and correspondingly, the server device receives the second connection establishment message SigmaR2 returned by the cloud device according to SigmaR1.
- the cloud device can verify the device token in the first connection establishment request to verify whether the device token is a token generated by the cloud device for the server device, and if so, the SigmaR1 verification is passed , otherwise, it is determined that the SigmaR1 verification fails.
- the cloud device may return a connection establishment failure response to the server device at this time.
- the cloud device can check whether the device token carried in the first connection establishment request meets the format/rule of the device token issued by the cloud, and if so, can confirm that the device token A token is a legal device token issued by a cloud device.
- the above-mentioned first connection establishment request may also carry device information of the server device, such as the device ID and structure ID of the server device, and the cloud device may issue it to the server according to the device information query.
- the device token of the device is compared with the device token carried in the first connection establishment request. If the two match, it is determined that the SigmaR1 verification is passed, otherwise the verification is not passed.
- the cloud device After the cloud device passes the verification of SigmaR1, it can process SigmaR1, generate SigmaR2, and return SigmaR2 to the server device through a TCP/UDP connection.
- Step 504c the server device sends a second connection establishment request to the cloud device, and accordingly, the cloud device receives the second connection establishment request sent by the server device according to SigmaR2; wherein, the second connection establishment request includes a third connection establishment message SigmaR3, and the device token of the server device.
- the server device after receiving the SigmaR2 returned by the cloud device, the server device processes SigmaR2 to generate SigmaR3, and sends a second connection establishment request including SigmaR3 and the device token to the cloud device.
- Step 504d the server device establishes a CASE connection with the cloud device; correspondingly, the cloud device establishes a CASE connection with the server device after passing the verification of the SigmaR3 through the device token.
- the server device after the server device sends the second connection establishment request including SigmaR3 and the device token, it can establish a CASE connection with the cloud device on the server device side, for example, generate a CASE connection with the cloud device on the server device side.
- Related information (such as context information) between CASE connections.
- the cloud device After receiving the second connection establishment request, the cloud device verifies SigmaR3 through the device token carried in the second connection establishment request, and after the verification is passed, correspondingly establishes a connection between the cloud device side and the server device. CASE connection.
- the server device after the CASE connection is established between the server device and the cloud device, the server device sends a resource report request to the cloud device, and accordingly, the cloud device receives the resource report request sent by the server device through the CASE connection ; Wherein, the resource report request includes the resource information of the server device and the device token.
- the cloud device can verify the device token, and after the resource information is verified through the device token, according to the resource information reported by the server device, a digital image of the server device is established on the cloud. Subsequent cloud devices or other remote devices can manage and control the server device through the digital image.
- FIG. 6 shows a sequence diagram of establishing a CASE connection involved in the embodiment of the present application.
- the process of establishing a CASE connection between the server device and the cloud device can be as follows:
- the device (corresponding to the above-mentioned server device) has a system model or a cluster (cluster) of the device management model, which is used to configure and store data interoperable with the cloud (such as the above-mentioned cloud device) (in the embodiment of this application, it can be It is called cloud cluster), and the cluster has at least cloud address attribute, token attribute, refresh token and other attribute information.
- cloud such as the above-mentioned cloud device
- the cluster has at least cloud address attribute, token attribute, refresh token and other attribute information.
- the configurator after the device establishes a CASE session connection with the configurator (corresponding to the above-mentioned configuration device), the configurator according to the registered user information and device information such as Node ID (corresponding to the above-mentioned device ID), Fabric ID (corresponding to the above-mentioned structure ID), Obtain token information such as token (corresponding to the above device token) and refresh token (corresponding to the above refresh token) from the cloud. That is, the configurator sends a request to the cloud to obtain token information.
- device information such as Node ID (corresponding to the above-mentioned device ID), Fabric ID (corresponding to the above-mentioned structure ID), Obtain token information such as token (corresponding to the above device token) and refresh token (corresponding to the above refresh token) from the cloud. That is, the configurator sends a request to the cloud to obtain token information.
- the cloud judges the legitimacy of the user identity according to the user information sent by the configurator.
- the cloud compares the Fabric ID information sent by the configurator (generated by the configurator for the device) with the root certificate (Root Certificate Authority, Root CA) on the cloud to confirm that the Fabric ID is generated by the root CA in the cloud.
- the root certificate Root Certificate Authority, Root CA
- the cloud generates token information such as token and refresh token for the device according to the sent Node ID information.
- the cloud returns token, refresh token and other data (token information) to the configurator.
- the configurator sends to the device an operation instruction for writing attribute information such as the cloud address attribute, token attribute, and refresh token of the cloud cluster.
- the device establishes a TCP/UDP-based connection with the cloud through the cloud address information; the cloud waits for a request to establish a CASE connection through the corresponding token.
- the device sends a SigmaR1 request to the cloud, carrying the token.
- the cloud After receiving the message, the cloud processes the SigmaR1 message and prepares the SigmaR2 message after verifying that the token passes.
- the cloud sends a SigmaR2 message to the device.
- the device processes the SigmaR2 message from the cloud, and prepares the SigmaR3 message.
- the device sends a SigmaR3 message to the cloud, carrying the token.
- the device establishes a CASE session connection.
- the cloud verifies the token after receiving the message, processes the SigmaR3 message, and then establishes a CASE session connection.
- one or more steps in the above step S601 to step S608 can be completed after the PASE connection is established between the device and the configurator, after the device authentication is successful, and the OpCSR operation is successful, and before the device is connected to the network; or, the above step S601
- One or more steps up to step S608 may also be completed after the device is networked.
- the configuration device can apply for the token information corresponding to the server device from the cloud device, and then send the token information to the server device.
- the server device can establish a CASE connection with the cloud device, and the subsequent server device can receive remote management and control of the cloud device or other user devices connected to the cloud device through the CASE connection with the cloud device, thereby greatly It expands the management and control scenarios of server devices, and improves the convenience of management and control of server devices.
- the solution involved in this application can provide the security of the connection between the server device and the cloud device, thereby improving the acceptance of the server device. Security of management or control of cloud devices.
- the configuration device obtains the token information of the server device from the cloud device, and sends the token information to the server device, and then the server device and the cloud device directly according to The token information establishes the CASE connection, which improves the efficiency of establishing the CASE connection.
- the server device can directly establish a secure connection with the cloud device through the configuration device.
- FIG. 7 shows a flow chart of a method for establishing a connection provided by an embodiment of the present application.
- the method can be executed interactively among the configuration device, the server device, and the cloud device; the method can include the following steps:
- Step 701 the configuration device establishes a connection with the server device.
- Step 702 the configuration device obtains the token information of the server device from the cloud device, and correspondingly, the cloud device sends the token information of the server device to the configuration device.
- Step 703 the configuration device sends token information to the server device, and the server device receives the token information.
- step 701 to step 703 For the execution process of the above step 701 to step 703, reference may be made to the description corresponding to the step 501 to step 503 in the above embodiment shown in FIG. 5 , which will not be repeated here.
- the configuration device may obtain the token information of the server device from the cloud device after the configuration of the server device is completed.
- the server device after a secure session based on key authentication is established between the server device and the configuration device to establish a PASE connection, the server device is authenticated successfully, and the interoperability certificate signing request OpCSR operation is successful, and after Before the server device completes network configuration, it obtains the token information of the server device from the cloud device.
- step 704 the configuration device forwards the CASE connection establishment message between the server device and the cloud device, so that the server device establishes a secure session based on certificate authentication with the cloud device according to the token information to establish a CASE connection.
- the message of establishing a CASE connection between the server device and the cloud device can be forwarded and verified by the configuration device.
- the configuration device may send a start pairing request to the cloud device; the start pairing request includes the device ID of the server device, Correspondingly, the cloud device receives the pairing start request sent by the configuration device. Afterwards, the cloud device sends a pairing start response to the configuration device according to the pairing start request, and accordingly, the configuration device receives the pairing start response returned by the cloud device; wherein, the pairing start response is used to instruct the cloud device to enter a state of waiting for pairing.
- the configuration device sends status indication information to the server device, and correspondingly, the server device receives the status indication information sent by the configuration device; the status indication information is used to instruct the cloud device to enter a state of waiting for pairing.
- the server device After the server device knows that the cloud device has entered the state of waiting to be paired with it, it can initiate the process of establishing a CASE connection with the cloud device.
- the CASE connection establishment message includes the first connection establishment message SigmaR1, the second connection establishment message SigmaR2 and the third connection establishment message SigmaR3; the configuration device forwards the CASE connection establishment between the server device and the cloud device
- the process of forwarding the CASE connection establishment message between the server device and the cloud device may include:
- Step 704a the server device sends a first connection establishment request to the configuration device, and the configuration device receives the first connection establishment request sent by the server device, the first connection establishment request includes the first connection establishment message SigmaR1, and the server device's Device token.
- the above-mentioned first connection establishment request is used to instruct the configuration device to send SigmaR1 to the cloud device according to the device token.
- the server device when the server device initiates the establishment of a CASE connection with the cloud device, it may send a first connection establishment request to the configuration device.
- Step 704b the configuration device sends SigmaR1 to the cloud device according to the device token; the cloud device receives the SigmaR1 sent by the configuration device according to the device token.
- the configuration device may determine whether the first connection establishment request is a request sent to the cloud device according to whether the first connection establishment request carries a device token. For example, if the first connection establishment request carries If there is a device token, it is determined that the first connection establishment request is a request sent to the cloud device. At this time, the configuration device can send SigmaR1 to the cloud device. Optionally, the configuration device can also send SigmaR1 and the device token together to the cloud device.
- connection establishment request received by the configuration device does not carry a device token
- the configuration device can process SigmaR1 locally.
- the configuration device can also verify the first connection establishment request according to the device token, for example, verify whether the device token is a device token issued by the cloud device for the server device, and if so, the verification is passed , send SigmaR1 to the cloud device; otherwise, the verification fails. At this time, the configuration device can return a request failure response to the server device.
- Step 704c the cloud device returns the second connection establishment message SigmaR2 to the configuration device according to SigmaR1, and correspondingly, the configuration device receives the SigmaR2 returned by the cloud device according to SigmaR1.
- step 704d the configuration device sends SigmaR2 to the server device; correspondingly, the server device receives the SigmaR2 sent by the configuration device.
- the cloud device After the cloud device receives the SigmaR1 forwarded by the configuration device, it can process SigmaR1 to generate SigmaR2, and return SigmaR2 to the configuration device, which forwards it to the server device.
- Step 704e the server device sends a second connection establishment request to the configuration device according to SigmaR2, and correspondingly, the configuration device receives the second connection establishment request sent by the server device according to SigmaR2; wherein, the second connection establishment request includes the third connection establishment request Create the message SigmaR3 and the device token of the server device.
- the above-mentioned second connection establishment request is used to instruct the configuration device to send SigmaR3 to the cloud device according to the device token.
- the server device After the server device generates SigmaR3 according to SigmaR2, it can send the second connection establishment request including SigmaR3 and the device token to the configuration device.
- the SigmaR3 is used to instruct the cloud device to establish a CASE connection with the server device.
- Step 704f the server device establishes a CASE connection with the cloud device.
- the server device After the server device sends the second connection establishment request, it can establish a CASE connection with the cloud device on the server device side.
- Step 704g configure the device to send SigmaR3 to the cloud device according to the device token; correspondingly, the cloud device configures the SigmaR3 sent by the device according to the device token.
- the configuration device After the configuration device passes the verification of the second connection establishment request according to the device token, it sends the SigmaR3 to the cloud device.
- Step 704h the cloud device establishes a CASE connection with the server device.
- the cloud device after the cloud device receives the SigmaR3, it can establish a CASE connection with the server device on the cloud according to the SigmaR3.
- the server device authentication is successful, and the interoperability certificate signing request OpCSR operation is successful, and after the service Before the terminal device completes the network configuration, the configuration device forwards the CASE connection establishment message between the server device and the cloud device, and correspondingly establishes a secure session based on key authentication between the server device and the configuration device to establish a PASE
- the server device authentication is successful, and the interoperability certificate signature request OpCSR operation is successful, and before the server device completes network configuration, the server device establishes a certificate-based secure session with the cloud device based on the token information to establish CASE connect.
- the server device After the server device completes the network configuration, the server device establishes a CASE connection based on a certificate-authenticated security session with the cloud device based on the token information.
- the configuration device that is, you can initiate a request to the cloud device to configure the token information of the device, and forward the CASE connection establishment message between the server device and the cloud device, without waiting for the completion of the server device network configuration; the subsequent server device network configuration is completed
- the server device and the cloud device can communicate directly through the established CASE connection, thereby reducing the time for establishing a CASE connection between the server device and the cloud device, and improving the time for establishing a CASE connection between the server device and the cloud device. s efficiency.
- the server device after the CASE connection is established between the server device and the cloud device, the server device sends a resource report request to the cloud device, and accordingly, the cloud device receives the resource report request sent by the server device through the CASE connection ; Wherein, the resource report request includes the resource information of the server device and the device token.
- the cloud device can verify the device token, and after the resource information is verified through the device token, according to the resource information reported by the server device, a digital image of the server device is established on the cloud. Subsequent cloud devices or other remote devices can manage and control the server device through the digital image.
- FIG. 8 shows a sequence diagram of establishing a CASE connection involved in the embodiment of the present application.
- the process of establishing a CASE connection between the server device and the cloud device can be as follows:
- the device (corresponding to the above-mentioned server device) has a system model or a cluster of device management models, which is used to configure and store data interoperable with the cloud (such as the above-mentioned cloud device) (in the embodiment of this application, it can be called cloud cluster), the cluster has at least cloud address attribute, token attribute, refresh token and other attribute information.
- cloud such as the above-mentioned cloud device
- the cluster has at least cloud address attribute, token attribute, refresh token and other attribute information.
- the configurator After the device establishes a CASE session connection with the configurator (corresponding to the above-mentioned configuration device), the configurator obtains a token from the cloud according to the registered user information and the device's Node ID (corresponding to the above-mentioned device ID) and Fabric ID (corresponding to the above-mentioned structure ID). (corresponding to the above device token) and refresh token (corresponding to the above refresh token) information.
- the cloud judges the legitimacy of the user identity according to the user information sent by the configurator.
- the cloud compares the Fabric ID information sent by the configurator (generated by the configurator for the device) with the root certificate (Root Certificate Authority, Root CA) on the cloud, and confirms that the Fabric ID is generated by the Root CA in the cloud.
- the root certificate Root Certificate Authority, Root CA
- the cloud generates token, refresh token and other data information for the device according to the sent Node ID information.
- the cloud returns data such as token and refresh token to the configurator.
- the configurator sends to the device an operation instruction for writing attribute information such as the cloud address attribute, token attribute, and refresh token of the cloud cluster.
- the device After receiving the write cloud cluster operation instruction, the device writes related attributes, and returns the write operation status to the configurator.
- the configurator sends a pairing start request to the cloud, carrying data information such as Node ID.
- the cloud After receiving the start pairing request from the configurator, the cloud enters and waits to establish a certificate-based secure pairing with the device according to the Node ID.
- the cloud returns to the configurator that the state of waiting for pairing has been entered.
- the device sends a request to the configurator to establish a SigmaR1 with the cloud, carrying a token.
- the configurator After receiving the request, the configurator sends a SigmaR1 request to the cloud according to the corresponding token information in the message.
- the cloud returns the corresponding SigmaR2 message to the configurator.
- the configurator sends the SigmaR2 message to the device.
- the device receives the SigmaR2 message and processes it, and prepares the SigmaR3 message.
- the device sends a SigmaR3 message to the configurator, carrying token data.
- S820 is configured to send a SigmaR3 message to the cloud according to the token.
- the device establishes a CASE session connection.
- the cloud processes the SigmaR3 message after receiving it, and establishes a CASE session connection.
- one or more steps in the above steps S801 to S822 can be completed after the PASE connection is established between the device and the configurator, after the device authentication is successful, and the OpCSR operation is successful, and before the device is connected to the Internet; or, the above S801 to One or more steps in step S822 may also be completed after the device is networked.
- the configuration device can apply for the token information corresponding to the server device from the cloud device, and then send the token information to the server device.
- the server device can establish a CASE connection with the cloud device, and the subsequent server device can receive remote management and control of the cloud device or other user devices connected to the cloud device through the CASE connection with the cloud device, thereby greatly It expands the management and control scenarios of server devices, and improves the convenience of management and control of server devices.
- the solution involved in this application can provide the security of the connection between the server device and the cloud device, thereby improving the acceptance of the server device. Security of management or control of cloud devices.
- the configuration device obtains the token information of the server device from the cloud device, and sends the token information to the server device, and then forwards the server device and the cloud device through the configuration device. Since a secure connection has been established between the configuration device and the server device, this solution can improve the security of the CASE connection establishment message transmission between the server device and the cloud device.
- FIG. 9 shows a block diagram of an apparatus for connection establishment provided by an embodiment of the present application.
- the device has the function of realizing the above example of the method for connection establishment, and the function may be realized by hardware, or may be realized by executing corresponding software by hardware.
- the device can be the configuration device described above, or it can be set in the configuration device. As shown in Figure 9, the device may include:
- a token acquisition module 901, configured to acquire the token information of the server device from the cloud device;
- a token sending module 902 configured to send the token information to the server device, and the token information is used to establish a secure session based on certificate authentication between the server device and the cloud device to establish a CASE connection .
- the token acquisition module 901 includes:
- An acquisition request sending submodule configured to send a token acquisition request to the cloud device, where the token acquisition request includes first verification information
- the token acquisition sub-module is configured to acquire the token information sent by the cloud device after the first verification information is successfully verified.
- the first verification information includes at least one of user information of the configuration device and a structure ID of the server device.
- the device further includes:
- a structure identification generating module configured to generate the structure ID corresponding to the root certificate of the cloud device for the server device.
- the structure ID is used for the cloud device to obtain a verification result, and the verification result is used to indicate whether the structure ID is generated according to the root certificate.
- the token acquisition request further includes the device ID of the server device.
- the token information includes a device token.
- the token information further includes at least one of a refresh token and an address of the cloud device;
- the refresh token is used to refresh the device token.
- the token acquisition request further includes the device ID of the server device; the device ID is the basis for the cloud device to generate the device token and/or refresh token information.
- the token sending module 902 is configured to send a write operation message including the token information to the server device, and the write operation message is used to indicate that the server device Writing the token information into a model information cluster in the server device; the model information cluster is used to store information related to cloud operations.
- the write operation message is used to instruct the server device to write the token information into the attribute information in the model information cluster.
- the device further includes:
- a message forwarding module configured to forward a CASE connection establishment message between the server device and the cloud device.
- the CASE connection establishment message includes a first connection establishment message SigmaR1, a second connection establishment message SigmaR2, and a third connection establishment message SigmaR3; the message forwarding module is configured to:
- the server device Receives a first connection establishment request sent by the server device, where the first connection establishment request includes a first connection establishment message SigmaR1 and a device token of the server device;
- the second connection establishment request including a third connection establishment message SigmaR3 and a device token of the server device;
- the device further includes:
- the pairing request sending module is used for the message forwarding module to send a start pairing request to the cloud device before the message forwarding module forwards the CASE connection establishment message between the server device and the cloud device;
- the start pairing request includes the service Device ID of the end device;
- a pairing response receiving module configured to receive a start pairing response returned by the cloud device, and the start pairing response is used to instruct the cloud device to enter a state of waiting for pairing;
- a status indication module configured to send status indication information to the server device, where the status indication information is used to indicate that the cloud device enters a state of waiting for pairing.
- the token acquisition module 901 is configured to establish a secure session based on key authentication between the server device and the configuration device to establish a PASE connection, and the server device to authenticate Obtain the token information of the server device from the cloud device after the operation of the interoperability certificate signature request OpCSR succeeds and before the server device completes network configuration.
- the message forwarding module is configured to establish a secure session based on key authentication between the server device and the configuration device to establish a PASE connection, the server device is authenticated successfully, And after the operation of the interoperability certificate signature request OpCSR is successful, and before the server device completes the network configuration, the CASE connection establishment message is forwarded between the server device and the cloud device.
- the configuration device can apply for the token information corresponding to the server device from the cloud device, and then send the token information to the server device.
- the server device can establish a CASE connection with the cloud device, and the subsequent server device can receive remote management and control of the cloud device or other user devices connected to the cloud device through the CASE connection with the cloud device, thereby greatly It expands the management and control scenarios of server devices, and improves the convenience of management and control of server devices.
- the solution involved in this application can provide the security of the connection between the server device and the cloud device, thereby improving the acceptance of the server device. Security of management or control of cloud devices.
- FIG. 10 shows a block diagram of an apparatus for connection establishment provided by an embodiment of the present application.
- the device has the function of realizing the above example of the method for connection establishment, and the function may be realized by hardware, or may be realized by executing corresponding software by hardware.
- the apparatus may be the server device described above, or may be set in the server device. As shown in Figure 10, the device may include:
- the token receiving module 1001 is configured to receive the token information of the server device sent by the configuration device; the token information is obtained by the configuration device from the cloud device;
- a connection establishment module 1002 configured to establish a CASE connection with the cloud device based on a certificate-authenticated security session according to the token information.
- the token information includes a device token.
- the token information further includes at least one of a refresh token and an address of the cloud device;
- the refresh token is used to refresh the device token.
- model information cluster in the server device; the model information cluster is used to store information related to cloud operations; the token receiving module 1001 is used to receive the configuration device A write operation message including the token information is sent; according to the write operation message, the token information is written into the model information cluster in the server device.
- the writing the token information into the model information cluster according to the write operation message includes:
- connection establishment module 1002 is configured to:
- the first connection establishment request including a first connection establishment message SigmaR1, and a device token of the server device; the device token is used for the cloud device Verifying the connection establishment request sent by the configuration device;
- the second connection establishment request including a third connection establishment message SigmaR3 and the device token of the server device;
- connection establishing module 1002 is further configured to establish a transmission with the cloud device according to the address of the cloud device before sending the first connection establishment request to the cloud device.
- connection establishment module 1002 is configured to:
- the first connection establishment request includes a first connection establishment message SigmaR1, and the device token of the server device; the first connection establishment request is used to indicate the The configuration device sends the SigmaR1 to the cloud device according to the device token;
- the SigmaR2 is returned to the configuration device by the cloud device according to the SigmaR1;
- the second connection establishment request includes a third connection establishment message SigmaR3, and the device token of the server device; the second connection establishment request Instructing the configuration device to send the SigmaR3 to the cloud device according to the device token; the SigmaR3 is used to instruct the cloud device to establish the CASE connection with the server device;
- connection establishment module 1002 is further configured to receive status indication information sent by the configuration device before sending the first connection establishment request to the configuration device, and the status indication information uses Instructing the cloud device to enter a state of waiting for pairing.
- connection establishment module 1002 is configured to establish a secure session based on key authentication between the server device and the configuration device to establish a PASE connection, and the server device is authenticated successfully , and after the operation of the interoperable certificate signature request OpCSR succeeds, and before the server device completes network configuration, establish a CASE connection based on a certificate-authenticated secure session with the cloud device according to the token information.
- the device further includes:
- a reporting module configured to send a resource reporting request to the cloud device, where the resource reporting request includes resource information of the server device and the device token.
- the configuration device can apply for the token information corresponding to the server device from the cloud device, and then send the token information to the server device.
- the server device can establish a CASE connection with the cloud device, and the subsequent server device can receive remote management and control of the cloud device or other user devices connected to the cloud device through the CASE connection with the cloud device, thereby greatly It expands the management and control scenarios of server devices, and improves the convenience of management and control of server devices.
- the solution involved in this application can provide the security of the connection between the server device and the cloud device, thereby improving the acceptance of the server device. Security of management or control of cloud devices.
- FIG. 11 shows a block diagram of an apparatus for connection establishment provided by an embodiment of the present application.
- the device has the function of realizing the above example of the method for connection establishment, and the function may be realized by hardware, or may be realized by executing corresponding software by hardware.
- the apparatus may be the server device described above, or may be set in the server device. As shown in Figure 11, the device may include:
- a token sending module 1101, configured to send the token information of the server device to the configuration device; the token information is sent by the configuration device to the server device;
- a connection establishment module 1102 configured to establish a CASE connection with the server device based on a secure session based on certificate authentication according to the token information.
- the token sending module 1101 includes:
- An acquisition request receiving submodule configured to receive a token acquisition request sent by the configuration device, where the token acquisition request includes first verification information
- a verification submodule configured to perform verification according to the first verification information
- the token sending submodule is configured to send the token information to the configuration device after the verification according to the first verification information is passed.
- the first verification information includes at least one of the user information of the configuration device and the structure ID of the server device; wherein the structure ID is based on the The root certificate of the cloud device is generated for the server device;
- the verification submodule is used for,
- the first verification information includes user information of the configuration device, verify whether the user information is legal;
- the first verification information includes the structure ID of the server device, verify whether the structure ID matches the root certificate of the cloud device.
- the verification submodule is configured to, when the first verification information includes the structure ID of the server device, obtain a verification result based on the structure ID, and use the verification result to to indicate whether the fabric ID was generated from the root certificate.
- the token information includes a device token.
- the token information further includes at least one of a refresh token and an address of the cloud device;
- the refresh token is used to refresh the device token.
- the token acquisition request further includes the device ID of the server device; the apparatus further includes:
- a token generation module configured to generate a device token and/or a refresh token according to the device ID after the verification is passed according to the first verification information.
- the root connection establishment module 1102 is configured to:
- the server device Receives a first connection establishment request sent by the server device, where the first connection establishment request includes a first connection establishment message SigmaR1 and a device token of the server device;
- the second connection establishment request including a third connection establishment message SigmaR3 and a device token of the server device;
- connection establishing module 1102 is further configured to establish a transmission control protocol TCP connection or UDP connection.
- connection establishment module 1102 is configured to:
- the SigmaR1 and the device token are carried in the first connection establishment request sent by the server device to the configuration device;
- connection establishment module 1102 is further configured to, before receiving the first connection establishment message SigmaR1 sent by the configuration device according to the device token,
- the start pairing request includes the device ID of the server device
- the device further includes:
- a report request receiving module configured to receive a resource report request sent by the server device through a CASE connection, where the resource report request includes resource information of the server device and the device token;
- the image creation module is configured to establish a digital image of the server device on the cloud according to the resource information after the resource information is verified through the device token.
- the configuration device can apply for the token information corresponding to the server device from the cloud device, and then send the token information to the server device.
- the server device can establish a CASE connection with the cloud device, and the subsequent server device can receive remote management and control of the cloud device or other user devices connected to the cloud device through the CASE connection with the cloud device, thereby greatly It expands the management and control scenarios of server devices, and improves the convenience of management and control of server devices.
- the solution involved in this application can provide the security of the connection between the server device and the cloud device, thereby improving the acceptance of the server device. Security of management or control of cloud devices.
- the device provided by the above embodiment realizes its functions, it only uses the division of the above-mentioned functional modules as an example for illustration. In practical applications, the above-mentioned function allocation can be completed by different functional modules according to actual needs. That is, the content structure of the device is divided into different functional modules to complete all or part of the functions described above.
- FIG. 12 shows a schematic structural diagram of an IoT device 1200 provided by an embodiment of the present application.
- the IoT device 1200 may include: a processor 1201 , a receiver 1202 , a transmitter 1203 , a memory 1204 and a bus 1205 .
- the processor 1201 includes one or more processing cores, and the processor 1201 executes various functional applications and information processing by running software programs and modules.
- the receiver 1202 and the transmitter 1203 can be realized as a communication component, and the communication component can be a communication chip.
- the communication chip can also be called a transceiver.
- the memory 1204 is connected to the processor 1201 through the bus 1205 .
- the memory 1204 may be used to store a computer program, and the processor 1201 is used to execute the computer program, so as to implement various steps executed by the terminal in the above method embodiments.
- volatile or non-volatile storage device includes but not limited to: magnetic disk or optical disk, electrically erasable and programmable Read Only Memory, Erasable Programmable Read Only Memory, Static Anytime Access Memory, Read Only Memory, Magnetic Memory, Flash Memory, Programmable Read Only Memory.
- the IoT device includes a processor, a memory, and a transceiver (the transceiver may include a receiver and a transmitter, the receiver is used to receive information, and the transmitter is used to send information);
- the IoT device When the IoT device is implemented as a configuration device,
- the transceiver is used to obtain the token information of the server device from the cloud device;
- the transceiver is further configured to send the token information to the server device, and the token information is used to establish a secure session based on certificate authentication between the server device and the cloud device to establish a CASE connection .
- the IoT device When the IoT device is implemented as a server device,
- the transceiver is configured to receive the token information of the server device sent by the configuration device; the token information is obtained by the configuration device from the cloud device;
- the transceiver is further configured to establish a CASE connection with the cloud device based on a certificate-authenticated secure session based on the token information.
- the IoT device involved in the embodiment of the present application can execute all or part of the steps performed by the server device in the method for connection establishment shown in FIG. 3 , FIG. 5 or FIG. 7 above. I won't repeat them here.
- the IoT device When the IoT device is implemented as a cloud device,
- the transceiver is configured to send the token information of the server device to the configuration device; the token information is sent by the configuration device to the server device;
- the transceiver is further configured to establish a CASE connection with the server device according to the token information and establish a secure session based on certificate authentication.
- the embodiment of the present application also provides a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is loaded and executed by a processor to realize the above-mentioned FIG. 2 , FIG. 3 , FIG. 4 , or FIG. 5 .
- the latter internal steps are performed by the configuration device, the server device or the cloud device.
- the present application also provides a chip, which is used to run in an IoT device, so that the IoT device executes the connection establishment method shown in FIG. 2 , FIG. 3 , FIG. 4 , FIG. 5 or FIG. 7 In , the internal latter part of the steps performed by the provisioning device, the server device or the cloud device.
- the present application also provides a computer program product, the computer program product or the computer program includes computer instructions, and the computer instructions are stored in a computer-readable storage medium.
- the processor of the Internet of Things device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the Internet of Things device executes the above-mentioned steps shown in FIG. 2 , FIG. 3 , FIG. 4 , FIG. 5 or FIG. 7 .
- the internal latter part of steps performed by the configuration device, the server device or the cloud device.
- the present application also provides a computer program, which is executed by a processor of an Internet of Things device, so as to implement the method for connection establishment shown in FIG. 2 , FIG. 3 , FIG. 4 , FIG. 5 or FIG. 7 , Internal latter part of steps performed by provisioning device, server device or cloud device.
- the functions described in the embodiments of the present application may be implemented by hardware, software, firmware or any combination thereof.
- the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
- Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
- a storage media may be any available media that can be accessed by a general purpose or special purpose computer.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Development Economics (AREA)
- Economics (AREA)
- General Business, Economics & Management (AREA)
- Computer And Data Communications (AREA)
Abstract
一种用于连接建立的方法、装置、设备及存储介质,属于物联网技术领域。所述方法由配置设备执行,所述方法包括:从云端设备获取服务端设备的令牌信息;向所述服务端设备发送所述令牌信息,以便所述服务端设备根据所述令牌信息与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。本方法能够极大的扩展对服务端设备进行管理和控制的场景,提高了服务端设备的管理和控制的便捷性。
Description
本申请涉及物联网技术领域,特别涉及一种用于连接建立的方法、装置、设备及存储介质。
在物联网(Internet of Things,IOT)中,服务端设备可以通过配置设备进行管理和控制。
在相关技术中,服务端设备可以通过配置设备进行配网,以使得服务端设备接入网络。然后,服务端设备再与配置设备之间建立网络连接,并基于网络连接接受配置设备的管理和控制。
然而在相关技术中的方案仅考虑了配置设备对服务端设备的管理和控制,应用场景限制较大,影响服务端设备的管理和控制的便捷性。
发明内容
本申请实施例提供了一种用于连接建立的方法、装置、设备及存储介质。该方案能够提高服务端设备的管理和控制的便捷性。所述技术方案如下:
一方面,本申请实施例提供了一种用于连接建立的方法,所述方法由配置设备执行,所述方法包括:
在与服务端设备建立连接后,从云端设备获取所述服务端设备的令牌信息;
向所述服务端设备发送所述令牌信息;所述令牌信息用于所述服务端设备与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
一方面,本申请实施例提供了一种用于连接建立的方法,所述方法由服务端设备执行,所述方法包括:
接收配置设备发送的,所述服务端设备的令牌信息;所述令牌信息所述配置设备从云端设备获取的;
根据所述令牌信息与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
一方面,本申请实施例提供了一种用于连接建立的方法,所述方法由云端设备执行,所述方法包括:
向配置设备发送所述服务端设备的令牌信息;所述令牌信息由所述配置设备发送给所述服务端设备;
根据所述令牌信息与所述服务端设备之间建立基于证书认证的安全会话建立CASE连接。
另一方面,本申请实施例提供了一种用于连接建立的装置,所述装置用于配置设备中,所述装置包括:
令牌获取模块,用于在与服务端设备建立连接后,从云端设备获取所述服务端设备的令牌信息;
令牌发送模块,用于向所述服务端设备发送所述令牌信息,所述令牌信息用于所述服务端设备与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
另一方面,本申请实施例提供了一种用于连接建立的装置,所述装置用于服务端设备中,所述装置包括:
令牌接收模块,用于接收配置设备发送的,所述服务端设备的令牌信息;所述令牌信息所述配置设备从云端设备获取的;
连接建立模块,用于根据所述令牌信息与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
另一方面,本申请实施例提供了一种用于连接建立的装置,所述装置用于云端设备中,所述装置包括:
令牌发送模块,用于向配置设备发送所述服务端设备的令牌信息;所述令牌信息由所述配置设备发送给所述服务端设备;
连接建立模块,用于根据所述令牌信息与所述服务端设备之间建立基于证书认证的安全会话建立CASE连接。
另一方面,本申请实施例提供了一种物联网设备,所述物联网设备实现为配置设备,所述物联网设备包括处理器、存储器和收发器;
所述收发器,用于在与服务端设备建立连接后,从云端设备获取所述服务端设备的令牌信息;
所述收发器,还用于向所述服务端设备发送所述令牌信息,所述令牌信息用于所述服务端设备与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
另一方面,本申请实施例提供了一种物联网设备,所述物联网设备实现为服务端端设备,所述物联网设备包括处理器、存储器和收发器;
所述收发器,用于接收配置设备发送的,所述服务端设备的令牌信息;所述令牌信息所述配置设备从云端设备获取的;
所述收发器,还用于根据所述令牌信息与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
另一方面,本申请实施例提供了一种物联网设备,所述物联网设备实现为云端设备,所述物联网设备包括处理器、存储器和收发器;
所述收发器,用于向配置设备发送所述服务端设备的令牌信息;所述令牌信息由所述配置设备发送给所述服务端设备;
所述收发器,还用于根据所述令牌信息与所述服务端设备之间建立基于证书认证的安全会话建立CASE连接。
再一方面,本申请实施例提供了一种物联网设备,所述物联网设备包括处理器、存储器和收发器,所述存储器存储有计算机程序,所述计算机程序用于被所述处理器执行,以实现上述用于连接建立的方法。
又一方面,本申请实施例还提供了一种计算机可读存储介质,所述存储介质中存储有计算机程序,所述计算机程序由处理器加载并执行以实现上述用于连接建立的方法。
又一方面,本申请还提供了一种芯片,所述芯片用于在物联网设备中运行,以使得所述物联网设备执行上述用于连接建立的方法。
又一方面,本申请提供了一种计算机程序产品,该计算机程序产品包括计算机指令,该计算机指令存储在计算机可读存储介质中。物联网设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得该物联网设备执行上述用于连接建立的方法。
又一方面,本申请提供了一种计算机程序,该计算机程序由物联网设备的处理器执行,以实现上述用于连接建立的方法。
本申请实施例提供的技术方案可以带来如下有益效果:
配置设备和服务端设备建立连接之后,配置设备可以向云端设备申请该服务端设备对应的令牌信息,然后将令牌信息发送给服务端设备,这样服务端设备可以与云端设备之间建立CASE连接,后续服务端设备可以通过与云端设备之间的CASE连接,接收云端设备或者与云端设备相连的其它用户设备的远程管理和控制,从而极大的扩展了对服务端设备进行管理和控制的场景,提高了服务端设备的管理和控制的便捷性。
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1是本申请一个实施例提供的物联网的网络架构的示意图;
图2是本申请一个实施例提供的用于连接建立的方法的流程图;
图3是本申请一个实施例提供的用于连接建立的方法的流程图;
图4是本申请一个实施例提供的用于连接建立的方法的流程图;
图5是本申请一个实施例提供的用于连接建立的方法的流程图;
图6是图5所示实施例涉及的CASE连接建立时序图;
图7是本申请一个实施例提供的用于连接建立的方法的流程图;
图8是图7所示实施例涉及的CASE连接建立时序图;
图9是本申请一个实施例提供的用于连接建立的装置的框图;
图10是本申请一个实施例提供的用于连接建立的装置的框图;
图11是本申请一个实施例提供的用于连接建立的装置的框图;
图12是本申请一个实施例提供的物联网设备的结构示意图。
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。
本申请实施例描述的网络架构以及业务场景是为了更加清楚地说明本申请实施例的技术方案,并不构成对本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。
请参考图1,其示出了本申请一个实施例提供的物联网的网络架构的示意图。该物联网的网络架构可以包括:服务端设备110、配置设备120;可选的,该网络架构还可以包括网关设备130、云端服务器140 等等;
服务端设备110可以是用于提供物联网功能服务的设备。
比如,服务端设备110可以是智能家居设备,例如,智能灯具、智能电视、智能空调、智能冰箱、智能微波炉、智能电饭煲、扫地机器人等等。
或者,服务端设备110可以是工业生产设备,例如,车床、工业机器人、太阳能面板、风力发电机等等。
或者,服务端设备110可以是商业服务设备,例如,无人售货机等等。
或者,服务端设备110可以是智能监控设备,例如,监控摄像头、红外传感器、声音传感器、温度传感器等等。
在一种可能的实现方式中,配置设备120是用户侧的终端设备。比如,客户端设备可以是智能手机、平板电脑、智能手表、智能电视等等;或者,客户端设备也可以是个人电脑,比如台式电脑、便携式计算机、个人工作站等等。
在另一种可能的实现方式中,配置设备120是基于终端设备运行的客户端实体(可以是虚拟实体),例如,配置设备120可以是运行在终端设备中,用于对服务端设备进行访问、控制、以及管理等操作的应用程序(Application,APP)。
网关设备130是在网络层以上实现网络互连的网络设备,又称网间连接器、协议转换器等等。网关设备130为服务端设备110提供网络连接服务。
网关设备130可以是专业的网关,比如家庭网关,或者,网关设备130也可以是具有网关功能的接入设备,比如,具有网关功能的路由器。
在一种可能的实现方式中,网关设备130也可以实现为配置设备120。
云端服务器140是部署在网络侧的服务器。
在本申请实施例中,上述服务端设备110、配置设备120、网关设备130、云端服务器140可以是满足业内规范的物联网设备,比如,可以是满足Zigbee联盟下通过IP连接家庭工作组(Connected Home over IP Working Group,CHIP)规范(也称为Matter)的物联网设备。
在本申请实施例中,服务端设备110和配置设备120之间可以建立安全连接,比如,基于CHIP规范建立安全连接。
服务端设备110与网关设备130之间通过有线或者无线网络相连,云端服务器140分别与网关设备130和配置设备120之间可以通过有线或者无线网络相连。
可选的,上述的有线或者无线网络使用标准通信技术和/或协议。比如,上述有线或者无线网络可以是基于物联网IoT协议的通信网络。
请参考图2,其示出了本申请一个实施例提供的用于连接建立的方法的流程图,该方法可以由配置设备执行,比如,该配置设备可以是图1所示的网络架构的配置设备120;该方法可以包括如下几个步骤:
步骤201,从云端设备获取服务端设备的令牌信息。
在与服务端设备建立连接后,配置设备可以从云端设备获取服务端设备的令牌信息。
在一种可能的实现方式中,上述配置设备与服务端设备之间的连接,可以是基于证书认证的安全会话建立(Certificate Authenticated Session Establishment,CASE)连接。
其中,CASE连接是一种基于传输控制协议(Transmission Control Protocol,TCP)或者用户数据报文协议(User Datagram Protocol,UDP)对数据报文进行安全封装的会话连接,其可以在TCP/UDP协议的基础上实现更安全的数据传输。
配置设备中可以登录有用户账号,该用户账号可以是预先向云端设备进行注册获得的用户账号,登录有该用户账号的配置设备可以具有与云端设备之间执行物联网相关的信息交互的权限,比如,接入云端设备,对云端设备管理下的服务端设备进行管理或者控制,以及,协助服务端设备与云端设备之间建立连接等等。
比如,在本申请实施例中,协助服务端设备与云端设备之间建立连接时,配置设备与服务端设备之间建立连接之后,配置设备可以向云端设备申请该服务端设备对应的令牌信息。
步骤202,向服务端设备发送令牌信息;令牌信息用于服务端设备与云端设备之间建立基于证书认证的安全会话建立CASE连接。
其中,服务端设备可以通过与配置设备之间建立的连接(比如与配置设备之间的CASE连接)接收该令牌信息。
其中,配置设备从云端设备获取到服务端设备对应的令牌信息之后,即可以将令牌信息发送给服务端设备,后续服务端设备即可以根据该令牌信息,与云端设备建立安全连接,即上述CASE连接。
综上所述,本申请实施例所示的方案,配置设备和服务端设备建立连接之后,配置设备可以向云端设备申请该服务端设备对应的令牌信息,然后将令牌信息发送给服务端设备,这样服务端设备可以与云端设备之间建立CASE连接,后续服务端设备可以通过与云端设备之间的CASE连接,接收云端设备或者与云端设备相连的其它用户设备的远程管理和控制,从而极大的扩展了对服务端设备进行管理和控制的场景,提高了服务端设备的管理和控制的便捷性。
此外,由于CASE连接在TCP/UDP协议的基础上实现了更高的安全性,因此,本申请涉及的方案能够提供服务端设备与云端设备之间的连接的安全性,继而提高服务端设备接受云端设备的管理或控制的安全性。
请参考图3,其示出了本申请一个实施例提供的用于连接建立的方法的流程图,该方法可以由服务端设备执行,比如,该服务端设备可以是图1所示的网络架构的服务端设备110;该方法可以包括如下几个步骤:
步骤301,接收配置设备发送的,服务端设备的令牌信息;令牌信息是配置设备从云端设备获取的。
在一种可能的实现方式中,该步骤301可以在服务端设备与配置设备建立连接(比如CASE连接)之后执行。
步骤302,根据令牌信息与云端设备之间建立基于证书认证的安全会话建立CASE连接。
综上所述,本申请实施例所示的方案,配置设备和服务端设备建立连接之后,配置设备可以向云端设备申请该服务端设备对应的令牌信息,然后将令牌信息发送给服务端设备,这样服务端设备可以与云端设备之间建立CASE连接,后续服务端设备可以通过与云端设备之间的CASE连接,接收云端设备或者与云端设备相连的其它用户设备的远程管理和控制,从而极大的扩展了对服务端设备进行管理和控制的场景,提高了服务端设备的管理和控制的便捷性。
此外,由于CASE连接在TCP/UDP协议的基础上实现了更高的安全性,因此,本申请涉及的方案能够提供服务端设备与云端设备之间的连接的安全性,继而提高服务端设备接受云端设备的管理或控制的安全性。
请参考图4,其示出了本申请一个实施例提供的用于连接建立的方法的流程图,该方法可以由云端设备执行,比如,该云端设备可以是图1所示的网络架构的云端服务器140;该方法可以包括如下几个步骤:
步骤401,向配置设备发送服务端设备的令牌信息;以便配置设备将令牌信息发送给服务端设备。
在一种可能的实现方式中,该步骤401可以在服务端设备与配置设备建立连接(比如CASE连接)之后执行。
步骤402,根据令牌信息与服务端设备之间建立基于证书认证的安全会话建立CASE连接。
综上所述,本申请实施例所示的方案,配置设备和服务端设备建立连接之后,配置设备可以向云端设备申请该服务端设备对应的令牌信息,然后将令牌信息发送给服务端设备,这样服务端设备可以与云端设备之间建立CASE连接,后续服务端设备可以通过与云端设备之间的CASE连接,接收云端设备或者与云端设备相连的其它用户设备的远程管理和控制,从而极大的扩展了对服务端设备进行管理和控制的场景,提高了服务端设备的管理和控制的便捷性。
此外,由于CASE连接在TCP/UDP协议的基础上实现了更高的安全性,因此,本申请涉及的方案能够提供服务端设备与云端设备之间的连接的安全性,继而提高服务端设备接受云端设备的管理或控制的安全性。
在一种可能的实现方式中,配置设备向服务端设备发送了令牌信息之后,服务端设备可以与云端设备之间直接建立安全连接。
请参考图5,其示出了本申请一个实施例提供的用于连接建立的方法的流程图,该方法可以由配置设备、服务端设备以及云端设备之间交互执行;该方法可以包括如下几个步骤:
步骤501,配置设备与服务端设备建立连接。
在本申请实施例中,配置设备与服务端设备之间可以建立安全连接,比如,建立CASE连接。
其中,配置设备与服务端设备之间建立安全连接的步骤可以包括以下步骤。
步骤A:扫码配对。
步骤A1,服务端设备(device)提供二维码,配置设备(commissioner)通过扫描设备二维码获取设备的个人识别码(Personal Identification Number code,PIN code)、Rendezvous模式等信息给配置设备。
步骤A2,配置设备根据设备提供的Rendezvous模式,与服务端设备建立对应模式的连接。
步骤A3,配置设备与服务端设备建立连接后,服务端设备进入等待配对状态;配置设备发送基于密 钥的派生方法(Password-Based Key Derivation Function,PBKDF)参数请求,服务端设备收到该请求后处理并返回PBKDF响应;配置设备收到PBKDF响应后发送spake2+的pake1消息给服务端设备;服务端设备收到pake1消息后处理,并发送spake2+的pake2消息给配置设备;配置设备收到pake2消息后处理,并发送spake2+的pake3消息给服务端设备,建立基于密钥认证的安全会话建立(Password Authenticated Session Establishment,PASE)会话;服务端设备收到pake3消息处理并建立PASE会话。
步骤B:配网和域名系统(Domain Name System,DNS)服务发现(DNS Service Discovery,DNS-SD)。
步骤B1,配置设备与服务端设备建立基于密钥认证的安全会话建立PASE连接后,配置设备开始对服务端设备进行设备认证。
首先配置设备向服务端设备发送获取设备认证证书链请求,服务端设备收到请求后返回对应的证书链;然后配置设备创建随机数nonce,向服务端设备发送设备认证请求,携带随机数nonce,服务端设备收到设备认证请求后,创建认证数据的标签-长度-值(Tag-Length-Value,TLV)结构,并将数据返回给配置设备;最后配置设备根据设备返回的数据进行设备认证。
步骤B2,服务端设备认证成功后,配置设备向服务端设备发送根证书(Root Certificate Authority,Root CA),其中,配置设备的Root CA由其生态颁发;服务端设备收到根证书后,发送根证书接收成功确认消息给配置设备;然后配置设备创建互操作证书签名请求(Operational Certificate Signing Request,OpCSR)请求的nonce,并向服务端设备发送获取OpCSR请求,携带nonce数据,服务端设备收到请求后生成对应的互操作密钥对,并创建OpCSR对应数据的TLV结构,再将该数据发送给配置设备;然后配置设备根据接收到的数据进行OpCSR认证;最后配置设备对OpCSR认证通过后为服务端设备生成互操作证书,并将证书发送给服务端设备,服务端设备收到证书后返回确认消息给配置设备。
步骤B3,服务端设备认证通过后,配置设备开始为服务端设备进行配网操作,向服务端设备发送入网凭证信息,包含服务集标识(Service Set Identifier,SSID)和密码(Password,PWD),服务端设备收到入网凭证自动联网;服务端设备联网成功后,配置设备与服务端设备退出PASE会话;服务端设备通过DNS-SD方式发布自己的域名信息,配置设备通过DNS-SD方式发现服务端设备,并与服务端设备建立基于IP的连接。
步骤C:建立CASE会话。
配置设备与服务端设备建立基于IP的连接后,服务端设备等待CASE会话建立,配置设备向服务端设备发送SigmaR1消息,服务端设备收到SigmaR1消息后处理该消息,并向配置设备发送SigmaR2消息;配置设备接收到SigmaR2消息后处理,并向服务端设备发送SigmaR3消息,然后建立CASE会话;服务端设备收到SigmaR3消息后处理,然后建立CASE会话。
步骤502,配置设备从云端设备获取服务端设备的令牌信息,相应的,云端设备向配置设备发送该服务端设备的令牌信息。
在一种可能的实现方式中,配置设备与服务端设备建立连接后,或者,在配置设备与服务端设备建立连接过程中,配置设备从云端设备获取服务端设备的令牌信息时,可以向云端设备发送令牌获取请求,令牌获取请求中包括第一验证信息;相应的,云端设备接收配置设备发送的该令牌获取请求;之后,云端设备根据第一验证信息进行验证;在根据第一验证信息验证通过后,向配置设备发送令牌信息,相应的,配置设备获取云端设备对第一验证信息验证通过后发送的令牌信息。
在本申请实施例中,为了提高令牌发放的安全性,以及后续云端设备与服务端设备之间的连接建立的安全性,配置设备发送给云端设备的令牌获取请求中可以包括第一验证信息,云端设备可以通过第一验证信息对令牌获取请求进行验证,当验证通过时,云端设备可以为服务端设备生成令牌信息,并将生成的令牌信息发送给配置设备。
在一种可能的实现方式中,第一验证信息中包括配置设备的用户信息以及服务端设备的结构标识ID(Fabric Identity,Fabric ID)的中的至少一种。
在一种可能的实现方式中,结构ID是基于云端设备的根证书为服务端设备生成的。相应的,该结构ID用于由云端设备获取验证结果,该验证结果用于指示结构ID是否是根据云端设备的根证书生成的。
云端设备根据第一验证信息进行验证的过程可以包括:
当第一验证信息中包括配置设备的用户信息时,验证用户信息是否合法;
当第一验证信息中包括服务端设备的结构ID时,验证结构ID是否与云端设备的根证书匹配。
在一种可能的实现方式中,当第一验证信息中包括服务端设备的结构ID时,云端设备可以基于结构ID获取验证结果,验证结果用于指示结构ID是否是根据根证书生成的。
其中,上述配置设备中登陆的用户账号对应的用户,可以预先向云端设备进行注册和绑定,在此过程中,云端设备中可以存储对应的用户信息。此外,云端设备也可以向登陆该用户账号的配置设备下发自己的根证书,配置设备可以生成与云端设备的根证书相对应的结构ID,其中,服务端设备的结构ID与云端 设备的根证书之间具有对应关系。
比如,配置设备可以根据云端设备的根证书,为服务端设备生成结构ID。该结构ID与云端设备的根证书中的chip-fabric-id相匹配。在发送令牌获取请求时,配置设备可以将用户信息以及结构ID中的至少一项作为第一验证信息,携带在令牌获取请求中进行发送。
比如,以第一验证信息包括用户信息以及结构ID时,云端设备可以首先对用户信息进行验证,以验证该用户信息是否是在云端注册的合法信息,在对用户信息验证通过之后,云端设备再对结构ID进行验证,以验证该结构ID是否与云端设备的根证书匹配,比如,将结构ID与云端设备的根证书进行比对,以获取验证结果,该验证结果用于指示结构ID是否是根据上述根证书生成的;若是,则确定对第一验证信息验证通过,否则,确定验证不通过。
在一种可能的实现方式中,配置设备可以在服务端设备完成配置之后,从云端设备获取服务端设备的令牌信息。
在另一种可能的实现方式中,在服务端设备与配置设备之间建立基于密钥认证的安全会话建立PASE连接、服务端设备认证成功、且互操作证书签名请求OpCSR操作成功之后,且在服务端设备完成配网之前,配置设备从云端设备获取服务端设备的令牌信息。
也就是说,在本申请实施例中,当服务端设备与配置设备建立连接的过程中,在服务端设备完成配网之前,只要服务端设备与配置设备之间的互操作证书签名请求OpCSR操作成功,配置设备即可以发起向云端设备请求服务端设备的令牌信息的过程,不需要等待服务端设备配网完成,后续服务端设备配网完成后,可以及时的与云端设备之间建立CASE连接,从而降低了服务端设备与云端设备之间建立CASE连接的时长,提高服务端设备与云端设备之间建立CASE连接的效率。
在一种可能的实现方式中,令牌信息中包括设备令牌。
其中,设备令牌用于在服务端设备向云端设备发起CASE连接建立的过程中,验证服务端设备与云端设备建立CASE连接的权限。
在一种可能的实现方式中,令牌信息中还包括刷新令牌以及云端设备的地址中的至少一种;
其中,刷新令牌用于对设备令牌进行刷新。
其中,为了提高CASE连接建立的安全性,服务端设备的设备令牌通常具有一定的时效性,为了避免设备令牌失效之后需要从云端设备重新获取设备令牌,在本申请实施例中,随设备令牌一起发放的还有刷新令牌,该刷新令牌用于对过期的设备令牌进行更新,从而减少了令牌发放的交互步骤,节约网络资源,提高令牌发放效率。
在一种可能的实现方式中,令牌获取请求中还包括服务端设备的设备标识ID;该设备ID是云端设备生成设备令牌和/或刷新令牌时所依据的信息。
云端设备在根据第一验证信息验证通过后,向配置设备发送令牌信息的过程可以包括:
在根据第一验证信息验证通过后,根据设备ID生成服务端设备的设备令牌和/或刷新令牌;
向配置设备发送包含设备令牌和/或刷新令牌的令牌信息。
在本申请实施例中,云端设备根据第一验证信息,对令牌获取请求验证通过之后,云端设备可以根据设备ID,生成该服务端设备对应的令牌信息中的令牌信息和/或刷新令牌。
比如,在根据设备ID生成令牌信息时,云端设备可以将设备ID或者设备ID的衍生信息(比如设备ID的哈希值)添加至设备令牌和/或刷新令牌中。
在根据设备ID生成令牌信息时,云端设备也可以将设备ID与生成的令牌信息对应存储。
在一种可能的实现方式中,云端设备使用设备ID(Node ID),可选的,还结合结构ID(Fabric ID)、超时时间、Nonce(随机数)连接的数据,使用加密签名算法生成长度为8或者16的Octet String,作为上述设备令牌(token);后续云端设备可以根据签名算法对服务端设备发来的token进行校验,并可确认token是否为云端下发给对应服务端设备的token。
刷新令牌(Refresh token)是云端设备为对应Node ID生成的;若token超时,服务端设备可以使用refresh token请求新token。
步骤503,配置设备向服务端设备发送令牌信息,服务端设备接收该令牌信息。
在本申请实施例中,配置设备获取到云端设备发放的令牌信息之后,即可以将该令牌信息发送给服务端设备。
在一种可能的实现方式中,配置设备向服务端设备发送令牌信息的过程可以包括:
向服务端设备发送包括令牌信息的写操作消息,写操作消息用于指示服务端设备将令牌信息写入服务端设备中的模型信息簇;其中,该模型信息簇用于存储与云端操作相关的信息。也就是说,该模型信息簇用于配置和存储与云端进行互操作的数据。
在一种可能的实现方式中,该写操作消息用于指示服务端设备将令牌信息写入模型信息簇中的属性信 息。
相应的,服务端设备接收配置设备发送的,服务端设备的令牌信息的过程可以包括:
接收配置设备发送的包括令牌信息的写操作消息;
根据写操作消息,将令牌信息写入服务端设备中的模型信息簇。
在本申请实施例中,服务端设备中可以设置系统模型或者设备管理模型的cluster(簇),该cluster可以用于保存云端设备发放的令牌信息。配置设备从云端设备获取到服务端设备的令牌信息之后,即可以指示服务端设备将令牌信息写入服务端设备中的cluster。
相应的,服务端设备将令牌信息写入服务端设备中的cluster。
其中,上述服务端设备中的模型信息簇包含令牌信息中的各项信息分别对应的属性,服务端设备将令牌信息中的各项信息分别写入对应的属性。
在一种可能的实现方式中,上述cluster中可以保存有云地址属性、token(令牌)属性以及refresh token属性等关键属性。相应的,服务端设备将令牌信息中的设备令牌写入token属性,将令牌信息中的刷新令牌写入refresh token属性,并将令牌信息中的云端设备的地址写入云地址属性。
其中,上述各项属性包括各自的属性名称、属性类型和属性值等信息,其中,属性值中包括对应的属性内容,比如,云地址属性的属性值为云端设备的地址;token属性的属性值为设备令牌,refresh token属性的属性值为刷新令牌。
例如,云端设备中的模型信息簇(Cluster)至少存在三个关键属性(Attribute)信息。其中云地址属性的Attribute类型为String(字符串类型),描述为Cloud URL,属性值为云端设备的地址或域名的属性;token属性的Attribute类型为Octet String,描述为Cloud token,属性值为云端设备发送的设备令牌(token);refresh token属性的Attribute类型为Octet String,描述为Cloud refresh token,属性值为云端设备发送的刷新令牌。
步骤504,服务端设备根据令牌信息与云端设备之间建立基于证书认证的安全会话建立CASE连接。
在本申请实施例中,服务端设备获取到令牌信息之后,即可以根据令牌信息向云端设备发起连接建立过程。
在一种可能的实现方式中,服务端设备与云端设备之间根据令牌信息建立基于证书认证的安全会话建立CASE连接的过程可以如下:
步骤504a,服务端设备向云端设备发送第一连接建立请求,云端设备接收服务端设备发送的第一连接建立请求;其中,第一连接建立请求中包括第一连接建立消息SigmaR1,以及服务端设备的设备令牌。
其中,上述设备令牌用于云端设备对服务端设备发送的连接建立请求进行验证。
在本申请实施例中,服务端设备在完成配网之后,可以向云端设备发送包括SigmaR1以及设备令牌的第一连接建立请求。
其中,服务端设备向与云端设备发送第一连接建立请求之后,服务端设备可以根据云端设备的地址,与云端设备之间建立传输控制协议TCP连接或者UDP连接。相应的,服务端设备和云端设备之间可以通过该TCP/UDP连接,传输该第一连接建立请求。
其中,在本申请实施例中,当服务端设备和云端设备之间采用UDP连接时,可以采用通过IP连接家庭工作组的可靠消息协议(Connected Home over IP Working Group Reliable Message Protocol,CRMP)来保证数据传输的可靠性。
步骤504b,云端设备通过设备令牌对SigmaR1验证通过后,根据SigmaR1向服务端设备返回第二连接建立消息SigmaR2,相应的,服务端设备接收云端设备根据SigmaR1返回的第二连接建立消息SigmaR2。
在本申请实施例中,云端设备可以对第一连接建立请求中的设备令牌进行验证,以验证该设备令牌是否是云端设备为服务端设备生成的令牌,若是,则对SigmaR1验证通过,否则,确定对SigmaR1验证不通过,可选的,云端设备此时可以向服务端设备返回连接建立失败的响应。
在一种可能的实现方式中,在验证过程中,云端设备可以检验第一连接建立请求中携带的设备令牌是否满足云端发放的设备令牌的格式/规则,若是,则可以确认该设备令牌是云端设备发放的合法的设备令牌。
在另一种可能的实现方式中,上述第一连接建立请求中还可以携带服务端设备的设备信息,比如服务端设备的设备ID以及结构ID,云端设备可以根据设备信息查询发放给该服务端设备的设备令牌,并将其与第一连接建立请求中携带的设备令牌进行比对,若两者匹配,则确定对SigmaR1验证通过,否则验证不通过。
云端设备在对SigmaR1验证通过后,可以对对SigmaR1进行处理,并生成SigmaR2,并将SigmaR2通过TCP/UDP连接返回给服务端设备。
步骤504c,服务端设备向云端设备发送第二连接建立请求,相应的,云端设备接收服务端设备根据SigmaR2发送的第二连接建立请求;其中,该第二连接建立请求中包括第三连接建立消息SigmaR3,以及 服务端设备的设备令牌。
在本申请实施例中,服务端设备接收到云端设备返回的SigmaR2之后,对SigmaR2进行处理,生成SigmaR3,并向云端设备发送包括SigmaR3以及设备令牌的第二连接建立请求。
步骤504d,服务端设备建立与云端设备之间的CASE连接;相应的,云端设备通过设备令牌对SigmaR3验证通过后,建立与服务端设备之间的CASE连接。
其中,服务端设备在发送包括SigmaR3以及设备令牌的第二连接建立请求后,即可以在服务端设备侧建立与云端设备之间的CASE连接,比如,在服务端设备侧生成与云端设备之间的CASE连接的相关信息(例如上下文信息)。
而云端设备接收到第二连接建立请求之后,通过第二连接建立请求中携带的设备令牌,对SigmaR3进行验证,并在验证通过之后,相应的在云端设备侧建立与服务端设备之间的CASE连接。
在一种可能的实现方式中,服务端设备与云端设备之间建立CASE连接之后,服务端设备向云端设备发送资源上报请求,相应的,云端设备接收服务端设备通过CASE连接发送的资源上报请求;其中,资源上报请求中包括服务端设备的资源信息以及设备令牌。
云端设备可以对设备令牌进行验证,并在通过设备令牌对资源信息验证通过后,根据服务端设备上报的资源信息,在云端建立服务端设备的数字镜像。后续云端设备或者其它远程设备可以通过该数字镜像,对服务端设备进行管理和控制。
比如,请参考图6,其示出了本申请实施例涉及的CASE连接建立时序图。如图6所示,服务端设备与云端设备之间建立CASE连接的过程可以如下:
S61,设备(对应上述服务端设备)上具有一系统模型或设备管理模型的cluster(簇),用于配置和存储与云端(比如上述云端设备)进行互操作的数据(本申请实施例中可以称为cloud cluster),该cluster至少存在云地址属性、token属性、refresh token等属性信息。
S62,当设备与配置器(对应上述配置设备)建立CASE会话连接后,配置器根据注册的用户信息和设备的Node ID(对应上述设备ID)、Fabric ID(对应上述结构ID)等设备信息,向云端获取token(对应上述设备令牌)和refresh token(对应上述刷新令牌)等令牌信息。即,配置器向云端发送获取令牌信息的请求。
S63,云端根据配置器发来的用户信息判断用户身份的合法性。
S64,云端验证Fabric ID与Root CA是否匹配。
比如,云端根据配置器发来的Fabric ID信息(由配置器为设备生成)同云上根证书(Root Certificate Authority,Root CA)进行对比,确认该Fabric ID是由云端的Root CA所生成。
S65,云端根据发来的Node ID信息为设备生成token、refresh token等令牌信息。
S66,云端将token、refresh token等数据(令牌信息)返回给配置器。
S67,配置器向设备发送写cloud cluster的云地址属性、token属性、refresh token等属性信息的操作指令。
S68,设备收到写cloud cluster操作指令后,写入相关属性,并返回写操作状态给配置器。
S69,设备通过云地址信息与云端建立基于TCP/UDP的连接;云端等待通过对应token建立CASE连接的请求。
S610,设备向云端发送SigmaR1请求,携带token。
S611,云收到消息后校验token通过后,处理SigmaR1消息,准备SigmaR2消息。
S612,云端向设备发送SigmaR2消息。
S613,设备处理来自云端的SigmaR2消息,并准备SigmaR3消息。
S614,设备向云端发送SigmaR3消息,携带token。
S615,设备建立CASE会话连接。
S616,云端收到消息后校验token,处理SigmaR3消息,然后建立CASE会话连接。
S617,设备和云端成功建立CASE会话流程后,主动上报其资源信息给云,携带token数据。
S618,云端校验token,在云端生成设备的数字孪生镜像。
其中,上述步骤S601至步骤S608中的一项或多项步骤可以在设备与配置器间建立PASE连接后、设备认证成功,且OpCSR操作成功之后,且在设备联网之前完成;或者,上述步骤S601至步骤S608中的一项或多项步骤也可以在设备联网之后完成。
综上所述,在本申请实施例中,配置设备和服务端设备建立连接之后,配置设备可以向云端设备申请该服务端设备对应的令牌信息,然后将令牌信息发送给服务端设备,这样服务端设备可以与云端设备之间建立CASE连接,后续服务端设备可以通过与云端设备之间的CASE连接,接收云端设备或者与云端设备相连的其它用户设备的远程管理和控制,从而极大的扩展了对服务端设备进行管理和控制的场景,提高了 服务端设备的管理和控制的便捷性。
此外,由于CASE连接在TCP/UDP协议的基础上实现了更高的安全性,因此,本申请涉及的方案能够提供服务端设备与云端设备之间的连接的安全性,继而提高服务端设备接受云端设备的管理或控制的安全性。
另外,本申请实施例所示的方案中,由配置设备向云端设备获取服务端设备的令牌信息,并将令牌信息发送给服务端设备,后续由服务端设备与云端设备之间直接根据令牌信息建立CASE连接,提高了CASE连接建立的效率。
在一种可能的实现方式中,配置设备向服务端设备发送了令牌信息之后,服务端设备可以通过配置设备与云端设备之间直接建立安全连接。
请参考图7,其示出了本申请一个实施例提供的用于连接建立的方法的流程图,该方法可以由配置设备、服务端设备以及云端设备之间交互执行;该方法可以包括如下几个步骤:
步骤701,配置设备与服务端设备建立连接。
步骤702,配置设备从云端设备获取服务端设备的令牌信息,相应的,云端设备向配置设备发送该服务端设备的令牌信息。
步骤703,配置设备向服务端设备发送令牌信息,服务端设备接收该令牌信息。
其中,上述步骤701至步骤703的执行过程可以参考上述图5所示实施例中的步骤501至步骤503对应的描述,此处不再赘述。
在一种可能的实现方式中,配置设备可以在服务端设备完成配置之后,从云端设备获取服务端设备的令牌信息。
在另一种可能的实现方式中,在服务端设备与配置设备之间建立基于密钥认证的安全会话建立PASE连接、服务端设备认证成功、且互操作证书签名请求OpCSR操作成功之后,且在服务端设备完成配网之前,从云端设备获取服务端设备的令牌信息。
步骤704,配置设备在服务端设备和云端设备之间转发CASE连接建立消息,以便服务端设备根据令牌信息与云端设备之间建立基于证书认证的安全会话建立CASE连接。
在本申请实施例中,服务端设备和云端设备之间建立CASE连接的消息,可以通过配置设备进行转发和验证。
在一种可能的实现方式中,配置设备在服务端设备和云端设备之间转发CASE连接建立消息之前,配置设备可以向云端设备发送开始配对请求;开始配对请求中包括服务端设备的设备ID,相应的,云端设备接收配置设备发送的开始配对请求。之后,云端设备根据该开始配对请求,向配置设备发送开始配对响应,相应的,配置设备接收云端设备返回的开始配对响应;其中,该开始配对响应用于指示云端设备进入等待配对的状态。配置设备向服务端设备发送状态指示信息,相应的,服务端设备接收配置设备发送的状态指示信息;该状态指示信息用于指示云端设备进入等待配对的状态。服务端设备获知云端设备已经进入等待与其配对的状态之后,即可以发起与云端设备之间建立CASE连接的过程。
在一种可能的实现方式中,CASE连接建立消息包括第一连接建立消息SigmaR1、第二连接建立消息SigmaR2以及第三连接建立消息SigmaR3;配置设备在服务端设备和云端设备之间转发CASE连接建立消息在服务端设备和云端设备之间转发CASE连接建立消息的过程可以包括:
步骤704a,服务端设备向配置设备发送第一连接建立请求,配置设备接收服务端设备发送的该第一连接建立请求,第一连接建立请求中包括第一连接建立消息SigmaR1,以及服务端设备的设备令牌。
其中,上述第一连接建立请求用于指示配置设备根据设备令牌向云端设备发送SigmaR1。
在本申请实施例中,服务端设备发起与云端设备之间的CASE连接建立时,可以将第一连接建立请求发送给配置设备。
步骤704b,配置设备根据设备令牌,向云端设备发送SigmaR1;云端设备接收配置设备根据设备令牌发送的SigmaR1。
在本申请实施例中,配置设备可以根据第一连接建立请求中是否携带设备令牌,来确定该第一连接建立请求是否为发送给云端设备的请求,比如,若第一连接建立请求中携带有设备令牌,则确定该第一连接建立请求是发送给云端设备的请求,此时,配置设备可以将SigmaR1发送给云端设备,可选的,配置设备也可以将SigmaR1以及设备令牌一起发送给云端设备。
可选的,若配置设备接收到的连接建立请求中未携带设备令牌,则确定该连接建立请求是与配置设备之间CASE连接的请求,此时,配置设备可以在本地对SigmaR1进行处理。
在本申请实施例中,配置设备还可以根据设备令牌对第一连接建立请求进行验证,比如,验证该设备令牌是否是云端设备为服务端设备发放的设备令牌,若是,则验证通过,向云端设备发送SigmaR1;否则 验证不通过,此时,配置设备可以向服务端设备返回请求失败的响应。
步骤704c,云端设备根据SigmaR1向配置设备返回第二连接建立消息SigmaR2,相应的,配置设备接收云端设备根据SigmaR1返回的SigmaR2。
步骤704d,配置设备将SigmaR2发送给服务端设备;相应的,服务端设备接收配置设备发送的SigmaR2。
云端设备接收到配置设备转发的SigmaR1之后,即可以对SigmaR1进行处理,生成SigmaR2,并将SigmaR2返回给配置设备,由配置设备转发给服务端设备。
步骤704e,服务端设备根据SigmaR2向配置设备发送第二连接建立请求,相应的,配置设备接收服务端设备根据SigmaR2发送的第二连接建立请求;其中,该第二连接建立请求中包括第三连接建立消息SigmaR3,以及服务端设备的设备令牌。
其中,上述第二连接建立请求用于指示配置设备根据设备令牌向云端设备发送SigmaR3。
与第一连接建立请求的传递方式类似,在本申请实施例中,服务端设备根据SigmaR2生成SigmaR3之后,可以将包括SigmaR3和设备令牌的第二连接建立请求发送给配置设备。其中,该SigmaR3用于指示云端设备建立与服务端设备之间的CASE连接。
步骤704f,服务端设备建立与云端设备之间的CASE连接。
服务端设备在发送第二连接建立请求之后,即可以在服务端设备侧建立与云端设备之间的CASE连接。
步骤704g,配置设备根据设备令牌,向云端设备发送SigmaR3;相应的,云端设备配置设备根据设备令牌发送的SigmaR3。
在一种可能的实现方式中,配置设备根据设备令牌对第二连接建立请求验证通过后,将SigmaR3发送给云端设备。
步骤704h,云端设备建立与服务端设备之间的CASE连接。
在本申请实施例中,云端设备接收到SigmaR3之后,即可以根据SigmaR3,在云端建立与服务端设备之间的CASE连接。
在一种可能的实现方式中,在服务端设备与配置设备之间建立基于密钥认证的安全会话建立PASE连接、服务端设备认证成功、且互操作证书签名请求OpCSR操作成功之后,且在服务端设备完成配网之前,配置设备在所述服务端设备和所述云端设备之间转发CASE连接建立消息,相应的,在服务端设备与配置设备之间建立基于密钥认证的安全会话建立PASE连接、服务端设备认证成功、且互操作证书签名请求OpCSR操作成功之后,且在服务端设备完成配网之前,服务端设备根据令牌信息与云端设备之间建立基于证书认证的安全会话建立CASE连接。
或者,在服务端设备完成配网之后,服务端设备根据令牌信息与云端设备之间建立基于证书认证的安全会话建立CASE连接。
在本申请实施例中,当服务端设备与配置设备建立连接的过程中,在服务端设备完成配网之前,只要服务端设备与配置设备之间的互操作证书签名请求OpCSR操作成功,配置设备即可以发起向云端设备请求配置设备的令牌信息,以及,在服务端设备和云端设备之间转发CASE连接建立消息的过程,不需要等待服务端设备配网完成;后续服务端设备配网完成后,服务端设备和云端设备之间可以直接通过已建立的CASE连接进行通信,从而降低了服务端设备与云端设备之间建立CASE连接的时长,提高服务端设备与云端设备之间建立CASE连接的效率。
在一种可能的实现方式中,服务端设备与云端设备之间建立CASE连接之后,服务端设备向云端设备发送资源上报请求,相应的,云端设备接收服务端设备通过CASE连接发送的资源上报请求;其中,资源上报请求中包括服务端设备的资源信息以及设备令牌。
云端设备可以对设备令牌进行验证,并在通过设备令牌对资源信息验证通过后,根据服务端设备上报的资源信息,在云端建立服务端设备的数字镜像。后续云端设备或者其它远程设备可以通过该数字镜像,对服务端设备进行管理和控制。
比如,请参考图8,其示出了本申请实施例涉及的CASE连接建立时序图。如图8所示,服务端设备与云端设备之间建立CASE连接的过程可以如下:
S81,设备(对应上述服务端设备)上具备一系统模型或设备管理模型的cluster,用于配置和存储与云端(比如上述云端设备)进行互操作的数据(本申请实施例中可以称为cloud cluster),该cluster至少存在云地址属性、token属性、refresh token等属性信息。
S82,当设备与配置器(对应上述配置设备)建立CASE会话连接后,配置器根据注册的用户信息和设备的Node ID(对应上述设备ID)、Fabric ID(对应上述结构ID)向云端获取token(对应上述设备令牌)和refresh token(对应上述刷新令牌)信息。
S83,云端根据配置器发来的用户信息判断用户身份的合法性。
S84,云端根据配置器发来的Fabric ID信息(由配置器为设备生成)同云上根证书(Root Certificate Authority,Root CA)进行对比,确认该Fabric ID是由云端的Root CA所生成。
S85,云端根据发来的Node ID信息为设备生成token、refresh token等数据信息。
S86,云端将token、refresh token等数据返回给配置器。
S87,配置器向设备发送写cloud cluster的云地址属性、token属性、refresh token等属性信息的操作指令。
S88,设备收到写cloud cluster操作指令后,写入相关属性,并返回写操作状态给配置器。
S89,配置器向云端发送开始配对请求,携带Node ID等数据信息。
S810,云端收到配置器发来的开始配对请求后,根据Node ID进入等待与设备建立基于证书的安全配对。
S811,云端将已进入等待配对状态返回给配置器。
S812,配置器将该状态返回给设备。
S813,设备向配置器发送与云端建立SigmaR1的请求,携带token。
S814,配置器收到该请求后,根据消息中对应的token信息向云端发送SigmaR1请求。
S815,云端处理SigmaR1信息,准备SigmaR2。
S816,云端向配置器返回对应的SigmaR2消息。
S817,配置器将SigmaR2消息发送给设备。
S818,设备收到SigmaR2消息处理,准备SigmaR3消息。
S819,设备向配置器发送SigmaR3消息,携带token数据。
S820,配置根据token向云端发送SigmaR3消息。
S821,设备建立CASE会话连接。
S822,云端收到SigmaR3消息后处理,并建立CASE会话连接。
S823,设备和云端成功建立CASE会话流程后,主动上报其资源信息给云端,携带token数据。
S824,云端校验token,在云端生成设备的数字孪生镜像。
其中,上述步骤S801至步骤S822中的一项或多项步骤可以在设备与配置器间建立PASE连接后、设备认证成功,且OpCSR操作成功之后,且在设备联网之前完成;或者,上述S801至步骤S822中的一项或多项步骤也可以在设备联网之后完成。
综上所述,在本申请实施例中,配置设备和服务端设备建立连接之后,配置设备可以向云端设备申请该服务端设备对应的令牌信息,然后将令牌信息发送给服务端设备,这样服务端设备可以与云端设备之间建立CASE连接,后续服务端设备可以通过与云端设备之间的CASE连接,接收云端设备或者与云端设备相连的其它用户设备的远程管理和控制,从而极大的扩展了对服务端设备进行管理和控制的场景,提高了服务端设备的管理和控制的便捷性。
此外,由于CASE连接在TCP/UDP协议的基础上实现了更高的安全性,因此,本申请涉及的方案能够提供服务端设备与云端设备之间的连接的安全性,继而提高服务端设备接受云端设备的管理或控制的安全性。
另外,本申请实施例所示的方案中,由配置设备向云端设备获取服务端设备的令牌信息,并将令牌信息发送给服务端设备,后续还是通过配置设备转发服务端设备与云端设备之间的CASE连接建立消息,由于配置设备与服务端设备之间已经建立了安全连接,因此,本方案可以提高服务端设备与云端设备之间的CASE连接建立消息传输的安全性。
下述为本申请装置实施例,可以用于执行本申请方法实施例。对于本申请装置实施例中未披露的细节,请参照本申请方法实施例。
请参考图9,其示出了本申请一个实施例提供的用于连接建立的装置的框图。该装置具有实现上述用于连接建立的方法示例的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该装置可以是上文介绍的配置设备,也可以设置配置设备中。如图9所示,该装置可以包括:
令牌获取模块901,用于从云端设备获取所述服务端设备的令牌信息;
令牌发送模块902,用于向所述服务端设备发送所述令牌信息,所述令牌信息用于所述服务端设备与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
在一种可能的实现方式中,令牌获取模块901,包括:
获取请求发送子模块,用于向所述云端设备发送令牌获取请求,所述令牌获取请求中包括第一验证信息;
令牌获取子模块,用于获取所述云端设备对所述第一验证信息验证通过后发送的所述令牌信息。
在一种可能的实现方式中,所述第一验证信息中包括所述配置设备的用户信息以及所述服务端设备的结构ID的中的至少一种。
在一种可能的实现方式中,所述装置还包括:
结构标识生成模块,用于为所述服务端设备生成与所述云端设备的根证书相对应的所述结构ID。
在一种可能的实现方式中,所述结构ID用于由所述云端设备获取验证结果,所述验证结果用于指示所述结构ID是否是根据所述的根证书生成的。
在一种可能的实现方式中,所述令牌获取请求中还包括所述服务端设备的设备ID。
在一种可能的实现方式中,所述令牌信息中包括设备令牌。
在一种可能的实现方式中,所述令牌信息中还包括刷新令牌以及所述云端设备的地址中的至少一种;
其中,所述刷新令牌用于对所述设备令牌进行刷新。
在一种可能的实现方式中,所述令牌获取请求中还包括所述服务端设备的设备ID;所述设备ID是所述云端设备生成设备令牌和/或刷新令牌时所依据的信息。
在一种可能的实现方式中,所述令牌发送模块902,用于向所述服务端设备发送包括所述令牌信息的写操作消息,所述写操作消息用于指示所述服务端设备将所述令牌信息写入所述服务端设备中的模型信息簇;所述模型信息簇用于存储与云端操作相关的信息。
在一种可能的实现方式中,所述写操作消息用于指示所述服务端设备将所述令牌信息写入所述模型信息簇中的属性信息。
在一种可能的实现方式中,所述装置还包括:
消息转发模块,用于在所述服务端设备和所述云端设备之间转发CASE连接建立消息。
在一种可能的实现方式中,所述CASE连接建立消息包括第一连接建立消息SigmaR1、第二连接建立消息SigmaR2以及第三连接建立消息SigmaR3;所述消息转发模块,用于,
接收所述服务端设备发送的第一连接建立请求,所述第一连接建立请求中包括第一连接建立消息SigmaR1,以及所述服务端设备的设备令牌;
根据所述设备令牌,向所述云端设备发送所述SigmaR1;
接收所述云端设备根据所述SigmaR1返回的第二连接建立消息SigmaR2;
将所述SigmaR2发送给所述服务端设备;
接收所述服务端设备根据所述SigmaR2发送的第二连接建立请求,所述第二连接建立请求中包括第三连接建立消息SigmaR3,以及所述服务端设备的设备令牌;
根据所述设备令牌,向所述云端设备发送所述SigmaR3。
在一种可能的实现方式中,所述装置还包括:
配对请求发送模块,用于消息转发模块在所述服务端设备和所述云端设备之间转发CASE连接建立消息之前,向所述云端设备发送开始配对请求;所述开始配对请求中包括所述服务端设备的设备ID;
配对响应接收模块,用于接收所述云端设备返回的开始配对响应,所述开始配对响应用于指示所述云端设备进入等待配对的状态;
状态指示模块,用于向服务端设备发送状态指示信息,所述状态指示信息用于指示所述云端设备进入等待配对的状态。
在一种可能的实现方式中,所述令牌获取模块901,用于在所述服务端设备与所述配置设备之间建立基于密钥认证的安全会话建立PASE连接、所述服务端设备认证成功、且互操作证书签名请求OpCSR操作成功之后,且在所述服务端设备完成配网之前,从云端设备获取所述服务端设备的令牌信息。
在一种可能的实现方式中,所述消息转发模块,用于在所述服务端设备与所述配置设备之间建立基于密钥认证的安全会话建立PASE连接、所述服务端设备认证成功、且互操作证书签名请求OpCSR操作成功之后,且在所述服务端设备完成配网之前,在所述服务端设备和所述云端设备之间转发CASE连接建立消息。
综上所述,在本申请实施例中,配置设备和服务端设备建立连接之后,配置设备可以向云端设备申请该服务端设备对应的令牌信息,然后将令牌信息发送给服务端设备,这样服务端设备可以与云端设备之间建立CASE连接,后续服务端设备可以通过与云端设备之间的CASE连接,接收云端设备或者与云端设备相连的其它用户设备的远程管理和控制,从而极大的扩展了对服务端设备进行管理和控制的场景,提高了服务端设备的管理和控制的便捷性。
此外,由于CASE连接在TCP/UDP协议的基础上实现了更高的安全性,因此,本申请涉及的方案能够提供服务端设备与云端设备之间的连接的安全性,继而提高服务端设备接受云端设备的管理或控制的安全性。
请参考图10,其示出了本申请一个实施例提供的用于连接建立的装置的框图。该装置具有实现上述用于连接建立的方法示例的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该装置可以是上文介绍的服务端设备,也可以设置在服务端设备中。如图10所示,该装置可以包括:
令牌接收模块1001,用于接收所述配置设备发送的,所述服务端设备的令牌信息;所述令牌信息所述配置设备从云端设备获取的;
连接建立模块1002,用于根据所述令牌信息与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
在一种可能的实现方式中,所述令牌信息中包括设备令牌。
在一种可能的实现方式中,所述令牌信息中还包括刷新令牌以及所述云端设备的地址中的至少一种;
其中,所述刷新令牌用于对所述设备令牌进行刷新。
在一种可能的实现方式中,所述服务端设备中存在模型信息簇;所述模型信息簇用于存储与云端操作相关的信息;所述令牌接收模块1001,用于接收所述配置设备发送的包括所述令牌信息的写操作消息;根据所述写操作消息,将所述令牌信息写入所述服务端设备中的模型信息簇。
在一种可能的实现方式中,所述根据所述写操作消息,将所述令牌信息写入所述模型信息簇,包括:
根据所述写操作消息,将所述令牌信息写入所述模型信息簇中的属性信息。
在一种可能的实现方式中,所述连接建立模块1002,用于,
向所述云端设备发送第一连接建立请求,所述第一连接建立请求中包括第一连接建立消息SigmaR1,以及所述服务端设备的设备令牌;所述设备令牌用于所述云端设备对所述配置设备发送的连接建立请求进行验证;
接收所述云端设备根据所述SigmaR1返回的第二连接建立消息SigmaR2;
向所述云端设备发送第二连接建立请求,所述第二连接建立请求中包括第三连接建立消息SigmaR3,以及所述服务端设备的设备令牌;
建立与所述云端设备之间的所述CASE连接。
在一种可能的实现方式中,所述连接建立模块1002,还用于在向所述云端设备发送第一连接建立请求之前,根据所述云端设备的地址,与所述云端设备之间建立传输控制协议TCP连接或UDP连接。
在一种可能的实现方式中,所述连接建立模块1002,用于,
向所述配置设备发送第一连接建立请求;所述第一连接建立请求中包括第一连接建立消息SigmaR1,以及所述服务端设备的设备令牌;所述第一连接建立请求用于指示所述配置设备根据所述设备令牌向所述云端设备发送所述SigmaR1;
接收所述配置设备发送的所述第二连接建立消息SigmaR2;所述SigmaR2由所述云端设备根据所述SigmaR1返回给所述配置设备;
根据所述SigmaR2向所述配置设备发送第二连接建立请求;所述第二连接建立请求中包括第三连接建立消息SigmaR3,以及所述服务端设备的设备令牌;所述第二连接建立请求用于指示所述配置设备根据所述设备令牌向所述云端设备发送所述SigmaR3;所述SigmaR3用于指示所述云端设备建立与所述服务端设备之间的所述CASE连接;
建立与所述云端设备之间的所述CASE连接。
在一种可能的实现方式中,所述连接建立模块1002,还用于在向所述配置设备发送第一连接建立请求之前,接收所述配置设备发送的状态指示信息,所述状态指示信息用于指示所述云端设备进入等待配对的状态。
在一种可能的实现方式中,所述连接建立模块1002,用于在所述服务端设备与所述配置设备之间建立基于密钥认证的安全会话建立PASE连接、所述服务端设备认证成功、且互操作证书签名请求OpCSR操作成功之后,且在所述服务端设备完成配网之前,根据所述令牌信息与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
在一种可能的实现方式中,所述装置还包括:
上报模块,用于向所述云端设备发送资源上报请求,所述资源上报请求中包括所述服务端设备的资源信息以及所述设备令牌。
综上所述,在本申请实施例中,配置设备和服务端设备建立连接之后,配置设备可以向云端设备申请该服务端设备对应的令牌信息,然后将令牌信息发送给服务端设备,这样服务端设备可以与云端设备之间建立CASE连接,后续服务端设备可以通过与云端设备之间的CASE连接,接收云端设备或者与云端设备相连的其它用户设备的远程管理和控制,从而极大的扩展了对服务端设备进行管理和控制的场景,提高了服务端设备的管理和控制的便捷性。
此外,由于CASE连接在TCP/UDP协议的基础上实现了更高的安全性,因此,本申请涉及的方案能 够提供服务端设备与云端设备之间的连接的安全性,继而提高服务端设备接受云端设备的管理或控制的安全性。
请参考图11,其示出了本申请一个实施例提供的用于连接建立的装置的框图。该装置具有实现上述用于连接建立的方法示例的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该装置可以是上文介绍的服务端设备,也可以设置在服务端设备中。如图11所示,该装置可以包括:
令牌发送模块1101,用于向所述配置设备发送所述服务端设备的令牌信息;所述令牌信息由所述配置设备发送给所述服务端设备;
连接建立模块1102,用于根据所述令牌信息与所述服务端设备之间建立基于证书认证的安全会话建立CASE连接。
在一种可能的实现方式中,所述令牌发送模块1101,包括:
获取请求接收子模块,用于接收所述配置设备发送的令牌获取请求,所述令牌获取请求中包括第一验证信息;
验证子模块,用于根据所述第一验证信息进行验证;
令牌发送子模块,用于在根据所述第一验证信息验证通过后,向所述配置设备发送所述令牌信息。
在一种可能的实现方式中,所述第一验证信息中包括所述配置设备的用户信息以及所述服务端设备的结构ID的中的至少一种;其中,所述结构ID是基于所述云端设备的根证书为所述服务端设备生成的;
所述验证子模块,用于,
当所述第一验证信息中包括所述配置设备的用户信息时,验证所述用户信息是否合法;
当所述第一验证信息中包括所述服务端设备的结构ID时,验证所述结构ID是否与所述云端设备的根证书匹配。
在一种可能的实现方式中,所述验证子模块,用于当所述第一验证信息中包括所述服务端设备的结构ID时,基于所述结构ID获取验证结果,所述验证结果用于指示所述结构ID是否是根据所述根证书生成的。
在一种可能的实现方式中,所述令牌信息中包括设备令牌。
在一种可能的实现方式中,所述令牌信息中还包括刷新令牌以及所述云端设备的地址中的至少一种;
其中,所述刷新令牌用于对所述设备令牌进行刷新。
在一种可能的实现方式中,所述令牌获取请求中还包括所述服务端设备的设备ID;所述装置还包括:
令牌生成模块,用于在根据所述第一验证信息验证通过后,根据所述设备ID生成设备令牌和/或刷新令牌。
在一种可能的实现方式中,所述根连接建立模块1102,用于,
接收所述服务端设备发送的第一连接建立请求,所述第一连接建立请求中包括第一连接建立消息SigmaR1,以及所述服务端设备的设备令牌;
通过所述设备令牌对所述SigmaR1验证通过后,根据所述SigmaR1向所述服务端设备返回第二连接建立消息SigmaR2;
接收所述服务端设备根据所述SigmaR2发送的第二连接建立请求,所述第二连接建立请求中包括第三连接建立消息SigmaR3,以及所述服务端设备的设备令牌;
通过所述设备令牌对所述SigmaR3验证通过后,建立与所述服务端设备之间的所述CASE连接。
在一种可能的实现方式中,所述连接建立模块1102,还用于在接收所述服务端设备发送的第一连接建立请求之前,与所述服务端设备之间建立传输控制协议TCP连接或者UDP连接。
在一种可能的实现方式中,所述连接建立模块1102,用于,
接收所述配置设备根据所述设备令牌发送的第一连接建立消息SigmaR1;所述SigmaR1和所述设备令牌携带在所述服务端设备发送给所述配置设备的第一连接建立请求中;
根据所述SigmaR1向所述配置设备返回第二连接建立消息SigmaR2,以便所述配置设备将所述SigmaR2发送给所述服务端设备;
接收所述配置设备根据所述设备令牌发送的第三连接建立消息SigmaR3;所述SigmaR3和所述设备令牌携带在所述服务端设备根据所述配置设备转发的所述SigmaR2发送给所述配置设备的第二连接建立请求中;
建立与所述服务端设备之间的所述CASE连接。
在一种可能的实现方式中,所述连接建立模块1102,还用于在接收所述配置设备根据所述设备令牌发送的第一连接建立消息SigmaR1之前,
接收所述配置设备发送的开始配对请求;所述开始配对请求中包括所述服务端设备的设备ID;
向所述配置设备发送开始配对响应,所述开始配对响应用于指示所述云端设备进入等待配对的状态。
在一种可能的实现方式中,所述装置还包括:
上报请求接收模块,用于接收所述服务端设备通过CASE连接发送的资源上报请求,所述资源上报请求中包括所述服务端设备的资源信息以及所述设备令牌;
镜像建立模块,用于在通过所述设备令牌对所述资源信息验证通过后,根据所述资源信息,在云端建立所述服务端设备的数字镜像。
综上所述,在本申请实施例中,配置设备和服务端设备建立连接之后,配置设备可以向云端设备申请该服务端设备对应的令牌信息,然后将令牌信息发送给服务端设备,这样服务端设备可以与云端设备之间建立CASE连接,后续服务端设备可以通过与云端设备之间的CASE连接,接收云端设备或者与云端设备相连的其它用户设备的远程管理和控制,从而极大的扩展了对服务端设备进行管理和控制的场景,提高了服务端设备的管理和控制的便捷性。
此外,由于CASE连接在TCP/UDP协议的基础上实现了更高的安全性,因此,本申请涉及的方案能够提供服务端设备与云端设备之间的连接的安全性,继而提高服务端设备接受云端设备的管理或控制的安全性。
需要说明的一点是,上述实施例提供的装置在实现其功能时,仅以上述各个功能模块的划分进行举例说明,实际应用中,可以根据实际需要而将上述功能分配由不同的功能模块完成,即将设备的内容结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。
关于上述实施例中的装置,其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,此处将不做详细阐述说明。
请参考图12,其示出了本申请一个实施例提供的物联网设备1200的结构示意图。该物联网设备1200可以包括:处理器1201、接收器1202、发射器1203、存储器1204和总线1205。
处理器1201包括一个或者一个以上处理核心,处理器1201通过运行软件程序以及模块,从而执行各种功能应用以及信息处理。
接收器1202和发射器1203可以实现为一个通信组件,该通信组件可以是一块通信芯片。该通信芯片也可以称为收发器。
存储器1204通过总线1205与处理器1201相连。
存储器1204可用于存储计算机程序,处理器1201用于执行该计算机程序,以实现上述方法实施例中的终端执行的各个步骤。
此外,存储器1204可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,易失性或非易失性存储设备包括但不限于:磁盘或光盘,电可擦除可编程只读存储器,可擦除可编程只读存储器,静态随时存取存储器,只读存储器,磁存储器,快闪存储器,可编程只读存储器。
在示例性实施例中,所述物联网设备包括处理器、存储器和收发器(该收发器可以包括接收器和发射器,接收器用于接收信息,发射器用于发送信息);
当所述物联网设备实现为配置设备时,
所述收发器,用于从云端设备获取所述服务端设备的令牌信息;
所述收发器,还用于向所述服务端设备发送所述令牌信息,所述令牌信息用于所述服务端设备与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
本申请实施例涉及的物联网设备实现为配置设备时,可以执行上述图2、图5或图7所示的用于连接建立的方法中,由配置设备执行的全部或者部分步骤,此处不再赘述。
当所述物联网设备实现为服务端设备时,
所述收发器,用于接收配置设备发送的,所述服务端设备的令牌信息;所述令牌信息所述配置设备从云端设备获取的;
所述收发器,还用于根据所述令牌信息与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
本申请实施例涉及的物联网设备实现为服务端设备时,可以执行上述图3、图5或图7所示的用于连接建立的方法中,由服务端设备执行的全部或者部分步骤,此处不再赘述。
当所述物联网设备实现为云端设备时,
所述收发器,用于向所述配置设备发送所述服务端设备的令牌信息;所述令牌信息由所述配置设备发送给所述服务端设备;
所述收发器,还用于根据所述令牌信息与所述服务端设备之间建立基于证书认证的安全会话建立 CASE连接。
本申请实施例涉及的物联网设备实现为云端设备时,可以执行上述图4、图5或图7所示的用于连接建立的方法中,由云端设备执行的全部或者部分步骤,此处不再赘述。
本申请实施例还提供了一种计算机可读存储介质,所述存储介质中存储有计算机程序,所述计算机程序由处理器加载并执行以实现上述图2、图3、图4、图5或者图7所示的用于连接建立的方法中,由配置设备、服务端设备或者云端设备执行的内部后者部分步骤。
本申请还提供了一种芯片,该芯片用于在物联网设备中运行,以使得物联网设备执行上述图2、图3、图4、图5或者图7所示的用于连接建立的方法中,由配置设备、服务端设备或者云端设备执行的内部后者部分步骤。
本申请还提供了一种计算机程序产品,该计算机程序产品或计算机程序包括计算机指令,该计算机指令存储在计算机可读存储介质中。物联网设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得物联网设备执行上述图2、图3、图4、图5或者图7所示的用于连接建立的方法中,由配置设备、服务端设备或者云端设备执行的内部后者部分步骤。
本申请还提供了一种计算机程序,该计算机程序由物联网设备的处理器执行,以实现上述图2、图3、图4、图5或者图7所示的用于连接建立的方法中,由配置设备、服务端设备或者云端设备执行的内部后者部分步骤。
本领域技术人员应该可以意识到,在上述一个或多个示例中,本申请实施例所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是通用或专用计算机能够存取的任何可用介质。
以上所述仅为本申请的示例性实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包括在本申请的保护范围之内。
Claims (49)
- 一种用于连接建立的方法,其特征在于,所述方法由配置设备执行,所述方法包括:从云端设备获取所述服务端设备的令牌信息;向所述服务端设备发送所述令牌信息,所述令牌信息用于所述服务端设备与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
- 根据权利要求1所述的方法,其特征在于,从云端设备获取所述服务端设备的令牌信息,包括:向所述云端设备发送令牌获取请求,所述令牌获取请求中包括第一验证信息;获取所述云端设备对所述第一验证信息验证通过后发送的所述令牌信息。
- 根据权利要求2所述的方法,其特征在于,所述第一验证信息中包括所述配置设备的用户信息以及所述服务端设备的结构标识ID的中的至少一种。
- 根据权利要求3所述的方法,其特征在于,所述方法还包括:为所述服务端设备生成与所述云端设备的根证书相对应的所述结构ID。
- 根据权利要求4所述的方法,其特征在于,所述结构ID用于由所述云端设备获取验证结果,所述验证结果用于指示所述结构ID是否是根据所述的根证书生成的。
- 根据权利要求1至5任一所述的方法,其特征在于,所述令牌信息中包括设备令牌。
- 根据权利要求6所述的方法,其特征在于,所述令牌信息中还包括刷新令牌以及所述云端设备的地址中的至少一种;其中,所述刷新令牌用于对所述设备令牌进行刷新。
- 根据权利要求6或7所述的方法,其特征在于,所述令牌获取请求中还包括所述服务端设备的设备标识ID;所述设备ID是所述云端设备生成设备令牌和/或刷新令牌时所依据的信息。
- 根据权利要求1至8任一所述的方法,其特征在于,所述向所述服务端设备发送所述令牌信息,包括:向所述服务端设备发送包括所述令牌信息的写操作消息,所述写操作消息用于指示所述服务端设备将所述令牌信息写入所述服务端设备中的模型信息簇;所述模型信息簇用于存储与云端操作相关的信息。
- 根据权利要求9所述的方法,其特征在于,所述写操作消息用于指示所述服务端设备将所述令牌信息写入所述模型信息簇中的属性信息。
- 根据权利要求1至10任一所述的方法,其特征在于,所述方法还包括:在所述服务端设备和所述云端设备之间转发CASE连接建立消息。
- 根据权利要求11所述的方法,其特征在于,所述CASE连接建立消息包括第一连接建立消息SigmaR1、第二连接建立消息SigmaR2以及第三连接建立消息SigmaR3;所述在所述服务端设备和所述云端设备之间转发CASE连接建立消息,包括:接收所述服务端设备发送的第一连接建立请求,所述第一连接建立请求中包括所述SigmaR1,以及所述服务端设备的设备令牌;根据所述设备令牌,向所述云端设备发送所述SigmaR1;接收所述云端设备根据所述SigmaR1返回的所述SigmaR2;将所述SigmaR2发送给所述服务端设备;接收所述服务端设备根据所述SigmaR2发送的第二连接建立请求,所述第二连接建立请求中包括所述SigmaR3,以及所述服务端设备的设备令牌;根据所述设备令牌,向所述云端设备发送所述SigmaR3。
- 根据权利要求11或12所述的方法,其特征在于,所述在所述服务端设备和所述云端设备之间转发CASE连接建立消息之前,还包括:向所述云端设备发送开始配对请求;所述开始配对请求中包括所述服务端设备的设备ID;接收所述云端设备返回的开始配对响应,所述开始配对响应用于指示所述云端设备进入等待配对的状态;向服务端设备发送状态指示信息,所述状态指示信息用于指示所述云端设备进入等待配对的状态。
- 根据权利要求1至13任一所述的方法,其特征在于,所述从云端设备获取所述服务端设备的令牌信息,包括:在所述服务端设备与所述配置设备之间建立基于密钥认证的安全会话建立PASE连接、所述服务端设备认证成功、且互操作证书签名请求OpCSR操作成功之后,且在所述服务端设备完成配网之前,从云端设备获取所述服务端设备的令牌信息。
- 根据权利要求11至13任一所述的方法,其特征在于,所述在所述服务端设备和所述云端设备之间转发CASE连接建立消息,包括:在所述服务端设备与所述配置设备之间建立基于密钥认证的安全会话建立PASE连接、所述服务端设备认证成功、且互操作证书签名请求OpCSR操作成功之后,且在所述服务端设备完成配网之前,在所述服务端设备和所述云端设备之间转发CASE连接建立消息。
- 一种用于连接建立的方法,其特征在于,所述方法由服务端设备执行,所述方法包括:接收配置设备发送的,所述服务端设备的令牌信息;所述令牌信息是所述配置设备从云端设备获取的;根据所述令牌信息与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
- 根据权利要求16所述的方法,其特征在于,所述令牌信息中包括设备令牌。
- 根据权利要求17所述的方法,其特征在于,所述令牌信息中还包括刷新令牌以及所述云端设备的地址中的至少一种;其中,所述刷新令牌用于对所述设备令牌进行刷新。
- 根据权利要求16至18任一所述的方法,其特征在于,所述服务端设备中存在模型信息簇;所述模型信息簇用于存储与云端操作相关的信息。
- 根据权利要求19所述的方法,其特征在于,所述接收所述配置设备发送的,所述服务端设备的令牌信息,包括:接收所述配置设备发送的包括所述令牌信息的写操作消息;根据所述写操作消息,将所述令牌信息写入所述模型信息簇。
- 根据权利要求19或20所述的方法,其特征在于,所述根据所述写操作消息,将所述令牌信息写入所述模型信息簇,包括:根据所述写操作消息,将所述令牌信息写入所述模型信息簇中的属性信息。
- 根据权利要求16至21任一所述的方法,其特征在于,所述根据所述令牌信息与所述云端设备之间建立基于证书认证的安全会话建立CASE连接,包括:向所述云端设备发送第一连接建立请求,所述第一连接建立请求中包括第一连接建立消息SigmaR1,以及所述服务端设备的设备令牌;所述设备令牌用于所述云端设备对所述配置设备发送的连接建立请求进行验证;接收所述云端设备根据所述SigmaR1返回的第二连接建立消息SigmaR2;向所述云端设备发送第二连接建立请求,所述第二连接建立请求中包括第三连接建立消息SigmaR3,以及所述服务端设备的设备令牌;建立与所述云端设备之间的所述CASE连接。
- 根据权利要求22所述的方法,其特征在于,所述向所述云端设备发送第一连接建立请求之前,还包括:根据所述云端设备的地址,与所述云端设备之间建立传输控制协议TCP连接或者用户数据报文协议UDP连接。
- 根据权利要求16至21任一所述的方法,其特征在于,所述根据所述令牌信息与所述云端设备之间建立基于证书认证的安全会话建立CASE连接,包括:向所述配置设备发送第一连接建立请求;所述第一连接建立请求中包括第一连接建立消息SigmaR1,以及所述服务端设备的设备令牌;所述第一连接建立请求用于指示所述配置设备根据所述设备令牌向所述云端设备发送所述SigmaR1;接收所述配置设备发送的第二连接建立消息SigmaR2;所述SigmaR2由所述云端设备根据所述SigmaR1返回给所述配置设备;根据所述SigmaR2向所述配置设备发送第二连接建立请求;所述第二连接建立请求中包括第三连接建立消息SigmaR3,以及所述服务端设备的设备令牌;所述第二连接建立请求用于指示所述配置设备根据所述设备令牌向所述云端设备发送所述SigmaR3;所述SigmaR3用于指示所述云端设备建立与所述服务端设备之间的所述CASE连接;建立与所述云端设备之间的所述CASE连接。
- 根据权利要求24所述的方法,其特征在于,所述向所述配置设备发送第一连接建立请求之前,还包括:接收所述配置设备发送的状态指示信息,所述状态指示信息用于指示所述云端设备进入等待配对的状态。
- 根据权利要求16至25任一所述的方法,其特征在于,所述根据所述令牌信息与所述云端设备之间建立基于证书认证的安全会话建立CASE连接,包括:在所述服务端设备与所述配置设备之间建立基于密钥认证的安全会话建立PASE连接、所述服务端设备认证成功、且互操作证书签名请求OpCSR操作成功之后,且在所述服务端设备完成配网之前,根据所述令牌信息与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
- 根据权利要求16至26任一所述的方法,其特征在于,所述方法还包括:向所述云端设备发送资源上报请求,所述资源上报请求中包括所述服务端设备的资源信息以及所述设备令牌。
- 一种用于连接建立的方法,其特征在于,所述方法由云端设备执行,所述方法包括:向配置设备发送服务端设备的令牌信息;所述令牌信息由所述配置设备发送给所述服务端设备;根据所述令牌信息与所述服务端设备之间建立基于证书认证的安全会话建立CASE连接。
- 根据权利要求28所述的方法,其特征在于,所述向所述配置设备发送所述服务端设备的令牌信息,包括:接收所述配置设备发送的令牌获取请求,所述令牌获取请求中包括第一验证信息;根据所述第一验证信息进行验证;在根据所述第一验证信息验证通过后,向所述配置设备发送所述令牌信息。
- 根据权利要求29所述的方法,其特征在于,所述第一验证信息中包括所述配置设备的用户信息以及所述服务端设备的结构ID的中的至少一种;所述根据所述第一验证信息进行验证,包括:当所述第一验证信息中包括所述配置设备的用户信息时,验证所述用户信息是否合法;当所述第一验证信息中包括所述服务端设备的结构ID时,验证所述结构ID是否与所述云端设备的根证书匹配。
- 根据权利要求30所述的方法,其特征在于,所述当所述第一验证信息中包括所述服务端设备的结构ID时,验证所述结构ID是否与所述云端设备的根证书匹配,包括:当所述第一验证信息中包括所述服务端设备的结构ID时,基于所述结构ID获取验证结果,所述验证结果用于指示所述结构ID是否是根据所述根证书生成的。
- 根据权利要求28至31任一所述的方法,其特征在于,所述令牌信息中包括设备令牌。
- 根据权利要求32所述的方法,其特征在于,所述令牌信息中还包括刷新令牌以及所述云端设备的地址中的至少一种;其中,所述刷新令牌用于对所述设备令牌进行刷新。
- 根据权利要求32或33所述的方法,其特征在于,所述令牌获取请求中还包括所述服务端设备的设备ID;所述方法还包括:在根据所述第一验证信息验证通过后,根据所述设备ID生成设备令牌和/或刷新令牌。
- 根据权利要求28至34任一所述的方法,其特征在于,所述根据所述令牌信息与所述服务端设备之间建立基于证书认证的安全会话建立CASE连接,包括:接收所述服务端设备发送的第一连接建立请求,所述第一连接建立请求中包括第一连接建立消息SigmaR1,以及所述服务端设备的设备令牌;通过所述设备令牌对所述SigmaR1验证通过后,根据所述SigmaR1向所述服务端设备返回第二连接建立消息SigmaR2;接收所述服务端设备根据所述SigmaR2发送的第二连接建立请求,所述第二连接建立请求中包括第三连接建立消息SigmaR3,以及所述服务端设备的设备令牌;通过所述设备令牌对所述SigmaR3验证通过后,建立与所述服务端设备之间的所述CASE连接。
- 根据权利要求35所述的方法,其特征在于,所述接收所述服务端设备发送的第一连接建立请求之前,还包括:与所述服务端设备之间建立传输控制协议TCP连接或者用户数据报文协议UDP连接。
- 根据权利要求28至34任一所述的方法,其特征在于,所述根据所述令牌信息与所述服务端设备之间建立基于证书认证的安全会话建立CASE连接,包括:接收所述配置设备根据所述设备令牌发送的第一连接建立消息SigmaR1;所述SigmaR1和所述设备令牌携带在所述服务端设备发送给所述配置设备的第一连接建立请求中;根据所述SigmaR1向所述配置设备返回第二连接建立消息SigmaR2;接收所述配置设备根据所述设备令牌发送的第三连接建立消息SigmaR3;所述SigmaR3和所述设备令牌携带在所述服务端设备根据所述配置设备转发的所述SigmaR2发送给所述配置设备的第二连接建立请求中;建立与所述服务端设备之间的所述CASE连接。
- 根据权利要求37所述的方法,其特征在于,所述在接收所述配置设备根据所述设备令牌发送的第一连接建立消息SigmaR1之前,还包括:接收所述配置设备发送的开始配对请求;所述开始配对请求中包括所述服务端设备的设备ID;向所述配置设备发送开始配对响应,所述开始配对响应用于指示所述云端设备进入等待配对的状态。
- 根据权利要求28至38任一所述的方法,其特征在于,所述方法还包括:接收所述服务端设备通过CASE连接发送的资源上报请求,所述资源上报请求中包括所述服务端设备的资源信息以及所述设备令牌;在通过所述设备令牌对所述资源信息验证通过后,根据所述资源信息,在云端建立所述服务端设备的数字镜像。
- 一种用于连接建立的装置,其特征在于,所述装置用于配置设备中,所述装置包括:令牌获取模块,用于在与服务端设备建立连接后,从云端设备获取所述服务端设备的令牌信息;令牌发送模块,用于向所述服务端设备发送所述令牌信息,所述令牌信息用于所述服务端设备与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
- 一种用于连接建立的装置,其特征在于,所述装置用于服务端设备中,所述装置包括:令牌接收模块,用于接收配置设备发送的,所述服务端设备的令牌信息;所述令牌信息所述配置设备从云端设备获取的;连接建立模块,用于根据所述令牌信息与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
- 一种用于连接建立的装置,其特征在于,所述装置用于云端设备中,所述装置包括:令牌发送模块,用于向配置设备发送服务端设备的令牌信息;所述令牌信息由所述配置设备发送给所述服务端设备;连接建立模块,用于根据所述令牌信息与所述服务端设备之间建立基于证书认证的安全会话建立CASE连接。
- 一种物联网设备,其特征在于,所述物联网设备实现为配置设备,所述物联网设备包括处理器、存储器和收发器;所述收发器,用于在与服务端设备建立连接后,从云端设备获取所述服务端设备的令牌信息;所述收发器,还用于向所述服务端设备发送所述令牌信息,所述令牌信息用于所述服务端设备与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
- 一种物联网设备,其特征在于,所述物联网设备实现为服务端端设备,所述物联网设备包括处理器、存储器和收发器;所述收发器,用于接收配置设备发送的,所述服务端设备的令牌信息;所述令牌信息所述配置设备从云端设备获取的;所述收发器,还用于根据所述令牌信息与所述云端设备之间建立基于证书认证的安全会话建立CASE连接。
- 一种物联网设备,其特征在于,所述物联网设备实现为云端设备,所述物联网设备包括处理器、存储器和收发器;所述收发器,用于向配置设备发送服务端设备的令牌信息;所述令牌信息由所述配置设备发送给所述服务端设备;所述收发器,还用于根据所述令牌信息与所述服务端设备之间建立基于证书认证的安全会话建立CASE连接。
- 一种计算机可读存储介质,其特征在于,所述存储介质中存储有计算机程序,所述计算机程序用于被处理器执行,以实现如权利要求1至39任一项所述的用于连接建立的方法。
- 一种芯片,其特征在于,所述芯片用于在物联网设备中运行,以使得所述物联网设备执行如权利要求1至39任一项所述的用于连接建立的方法。
- 一种计算机程序产品,其特征在于,所述计算机程序产品包括计算机指令,所述计算机指令存储在计算机可读存储介质中;物联网设备的处理器从所述计算机可读存储介质读取所述计算机指令,并执行所述计算机指令,使得所述物联网设备执行如权利要求1至39任一项所述的用于连接建立的方法。
- 一种计算机程序,其特征在于,所述计算机程序由物联网设备的处理器执行,以实现如权利要求1至39任一项所述的用于连接建立的方法。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2021/111908 WO2023015462A1 (zh) | 2021-08-10 | 2021-08-10 | 用于连接建立的方法、装置、设备及存储介质 |
CN202180101224.XA CN117859292A (zh) | 2021-08-10 | 2021-08-10 | 用于连接建立的方法、装置、设备及存储介质 |
US18/430,554 US20240179145A1 (en) | 2021-08-10 | 2024-02-01 | Method for connection establishment and internet of things (iot) device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2021/111908 WO2023015462A1 (zh) | 2021-08-10 | 2021-08-10 | 用于连接建立的方法、装置、设备及存储介质 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/430,554 Continuation US20240179145A1 (en) | 2021-08-10 | 2024-02-01 | Method for connection establishment and internet of things (iot) device |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023015462A1 true WO2023015462A1 (zh) | 2023-02-16 |
Family
ID=85200392
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/111908 WO2023015462A1 (zh) | 2021-08-10 | 2021-08-10 | 用于连接建立的方法、装置、设备及存储介质 |
Country Status (3)
Country | Link |
---|---|
US (1) | US20240179145A1 (zh) |
CN (1) | CN117859292A (zh) |
WO (1) | WO2023015462A1 (zh) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106101147A (zh) * | 2016-08-12 | 2016-11-09 | 北京同余科技有限公司 | 一种实现智能设备与远程终端动态加密通讯的方法及系统 |
CN106130958A (zh) * | 2016-06-08 | 2016-11-16 | 美的集团股份有限公司 | 家电设备与终端的通讯系统及方法、家电设备、终端 |
CN107277061A (zh) * | 2017-08-08 | 2017-10-20 | 四川长虹电器股份有限公司 | 基于iot设备的端云安全通信方法 |
CN110022215A (zh) * | 2018-01-10 | 2019-07-16 | Abb瑞士股份有限公司 | 工业自动化设备和云服务 |
-
2021
- 2021-08-10 CN CN202180101224.XA patent/CN117859292A/zh active Pending
- 2021-08-10 WO PCT/CN2021/111908 patent/WO2023015462A1/zh active Application Filing
-
2024
- 2024-02-01 US US18/430,554 patent/US20240179145A1/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106130958A (zh) * | 2016-06-08 | 2016-11-16 | 美的集团股份有限公司 | 家电设备与终端的通讯系统及方法、家电设备、终端 |
CN106101147A (zh) * | 2016-08-12 | 2016-11-09 | 北京同余科技有限公司 | 一种实现智能设备与远程终端动态加密通讯的方法及系统 |
CN107277061A (zh) * | 2017-08-08 | 2017-10-20 | 四川长虹电器股份有限公司 | 基于iot设备的端云安全通信方法 |
CN110022215A (zh) * | 2018-01-10 | 2019-07-16 | Abb瑞士股份有限公司 | 工业自动化设备和云服务 |
Also Published As
Publication number | Publication date |
---|---|
US20240179145A1 (en) | 2024-05-30 |
CN117859292A (zh) | 2024-04-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113746633B (zh) | 物联网设备绑定方法、装置、系统、云服务器和存储介质 | |
US11284258B1 (en) | Managing access of a computing device to a network | |
JP6494149B2 (ja) | 認可処理方法およびデバイス | |
US20190156040A1 (en) | Bootstrapping without transferring private key | |
US8543814B2 (en) | Method and apparatus for using generic authentication architecture procedures in personal computers | |
CN113347741B (zh) | 网关设备的上线方法及系统 | |
CN109344628B (zh) | 区块链网络中可信节点的管理方法,节点及存储介质 | |
US20130007867A1 (en) | Network Identity for Software-as-a-Service Authentication | |
KR20050064119A (ko) | 인터넷접속을 위한 확장인증프로토콜 인증시 단말에서의서버인증서 유효성 검증 방법 | |
WO2021062946A1 (zh) | 一种在线签发同根证书的方法、装置及系统 | |
CN115065703B (zh) | 物联网系统及其认证与通信方法、相关设备 | |
US20200274719A1 (en) | Generating trust for devices | |
US20240179142A1 (en) | Method and apparatus for account association, and computer device and storage medium | |
WO2023005525A1 (zh) | 设备控制权限的设置方法、装置、计算机设备和存储介质 | |
WO2022170821A1 (zh) | 业务证书管理方法、装置、系统及电子设备 | |
CN113612747B (zh) | 设备控制权限的设置方法、装置、计算机设备和存储介质 | |
TW202245442A (zh) | 一種通訊方法及裝置 | |
WO2023015462A1 (zh) | 用于连接建立的方法、装置、设备及存储介质 | |
US20230107045A1 (en) | Method and system for self-onboarding of iot devices | |
WO2022206247A1 (zh) | 一种证书查询方法及装置 | |
CN117643014A (zh) | 用于在连接到至少一个通信网络的装备和服务提供商的服务器之间的连接的认证建立的方法、以及相应的设备 | |
WO2022006825A1 (zh) | 物联网中的设备接入方法、装置、计算机设备及存储介质 | |
CN113169864A (zh) | 利用公共凭据数据进行引导 | |
TWI835351B (zh) | 跨網域之安全連線傳輸方法 | |
US20230155842A1 (en) | Method and apparatus for certifying an application-specific key and for requesting such certification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21953093 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 202180101224.X Country of ref document: CN |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21953093 Country of ref document: EP Kind code of ref document: A1 |